Applied Agents
Computer and browser use
Agents that click and type
A coding agent gets a purpose-built Agent-Computer Interface: clean tools for read, search, edit, run. But most software has no API and no clean tool - a legacy desktop app, a canvas UI, a website that only exists as pixels. Computer-use and browser agents close that gap by driving the GUI the way you do: look at the screen, decide, move the mouse, so one model can operate any application with no per-app integration. The catch is that "look at a screen and click the right pixel" is far harder and far less reliable than it sounds, and here a mis-click has real, irreversible effects.
The loop: perceive, decide, act, observe
A huge amount of real work has no endpoints: an internal admin panel, a vendor portal behind a login, a form that only exists in a browser. For those, the only interface is the one built for humans - the graphical one. closes that gap. Strip away the specifics and it is the same agent loop as everything else in this course - a model in a loop with a tool[1] - but the tool is unusual. Anthropic's Computer Use exposes a single schema-less computer tool: a screenshot goes in, a low-level UI action comes out.[2] The harness executes the action against the real display and returns a fresh screenshot, and the loop turns again.
Tap a node to see what it does.
The reference harness is almost boringly small - the same "while there is a tool call, run it" skeleton from the agent loop:[2]
def sampling_loop(model, messages, max_iterations=10):
for _ in range(max_iterations):
response = client.beta.messages.create(
model=model, max_tokens=4096, messages=messages,
tools=TOOLS, betas=["computer-use-2025-11-24"],
)
messages.append({"role": "assistant", "content": response.content})
tool_results = process_tool_calls(response) # runs screenshot / click / type
if not tool_results:
return messages # no tool call -> task complete
messages.append({"role": "user", "content": tool_results})
return messages # hit the safeguard limitprocess_tool_calls dispatches on the action name - "screenshot" captures the display, "left_click" clicks input["coordinate"], "type" types input["text"] - and returns each result as a tool_result. OpenAI's API frames the same handshake with different nouns: the model returns a computer_call, your harness executes it and replies with a computer_call_output carrying the new screenshot (send it at full resolution, detail: "original", for click accuracy).[3]
State lives in the screen, not the model
The action space
The action space is the finite vocabulary of moves the model may emit - the GUI equivalent of a coding agent's tool list. Anthropic's computer tool grew it version by version, which is a nice map of what "operate a computer" actually requires:[2]
| Beta version | Actions added | Why it matters |
|---|---|---|
| Basic (all) | screenshot, left_click [x,y], type, key (e.g. ctrl+s), mouse_move | The minimum to see, point, and type - enough to drive most forms. |
| Enhanced (2025-01-24) | scroll, left_click_drag, right/middle_click, double/triple_click, mouse_down/up, hold_key, wait | Real UIs need dragging, context menus, and waiting for pages to settle. |
| Newest (2025-11-24) | zoom [x1,y1,x2,y2] - view a region at full resolution | Lets the model read small text (line numbers, tab titles) it cannot resolve at screenshot scale - a direct fix for a grounding failure. |
OpenAI's CUA returns a near-identical vocabulary: click, double_click, drag, scroll, type, keypress, move, wait, screenshot.[4] The action spaces have converged because the target - a human GUI - is the same.
Grounding: the hard problem
is turning "click the Save button" into the exact pixel (219, 168), and it is the reason these agents are fragile. The model has to localise a target in a raster image with enough precision to land inside a 36-pixel-tall button. Anthropic trains the model to reason about coordinates relative to reference points, but three grounding hazards recur:[2]
| Grounding hazard | What goes wrong |
|---|---|
| Coordinate drift | If you downscale a large screen before sending it, the model's coordinates are in scaled space. You must scale them back to real pixels, or every click lands off-target. |
| Unreadable small text | Screenshots cap at ~1.15 MP on older models (up to 2576 px on newer ones); tiny labels blur out. The zoom action re-samples a region at full resolution to recover them. |
| Finicky widgets | Dropdowns, scrollbars, and sliders are tiny hit-targets. The workaround is to prefer keyboard shortcuts over trying to mouse them precisely. |
The 'assume success' failure mode
Two ways to see: pixels versus the accessibility tree
The whole field splits on how the agent perceives the page. One family reads pixels; the other reads the structure - the DOM or accessibility tree. This is the split between and general pixel-based computer use. Same task, two representations:
Pixel / vision agents - Computer Use, Operator/CUA
left_click [512, 340]). It works on any GUI (desktop apps, canvas, legacy software) with no API - but grounding is error-prone, every step ships a full screenshot (slow, token-heavy), and it cannot see off-screen content.DOM / accessibility-tree agents - browser-use
click(7)). Reading the page structure with Playwright[5], it needs no grounding, is faster and more reliable on the web, and can see hidden/off-screen nodes - but it is blind to anything drawn only as pixels (canvas, video, a screenshot inside the page).[6]The map of who does what
- Anthropic Computer Use - pixels. Schema-less
computertool in a sandbox (Xvfb virtual display, Firefox/LibreOffice pre-installed). Public beta since Oct 2024.[2] - OpenAI Operator / CUA - pixels. GPT-4o-class vision plus reinforcement learning, runs its own browser, hands control back for logins, payments, and CAPTCHAs.[4][7]
- browser-use - DOM/accessibility tree. Open-source (MIT), model-agnostic (Claude, GPT, Gemini, local), click-by-index. Best for reliable web automation.[5]
- Project Mariner (Google DeepMind) - multimodal. Gemini sees the Chrome tab, with "Teach & Repeat" (learn a workflow once, replay it) and up to ~10 tasks running at once.[8]
Browser use is more reliable and cheaper when the target is a web page, because the structure is already machine-readable. Pixel-based computer use is the universal fallback: it is the only option for native applications, but it inherits every difficulty of grounding intent in raw coordinates. Many production systems blend the two - lead with the DOM, fall back to pixels for a stubborn canvas or an embedded widget.
Reliability and safety: be honest about the limits
Benchmarks make the state of the art concrete, and cut through the demo hype. Read the last row carefully:
| Benchmark | What it tests | Best 2025 score |
|---|---|---|
| WebVoyager | Live-website tasks, end to end | 87% (CUA)[4] · 83.5% (Mariner)[8] |
| WebArena | Realistic multi-step web tasks | 58.1% (CUA)[4] |
| OSWorld | Full computer use (any desktop app) | 38.1% (CUA)[4] |
Curated web tasks look strong, but OSWorld about 38% is the honest number for general computer use: most real desktop tasks still fail if you walk away. External sites block automation, CAPTCHAs stall the agent, and a small UI change derails a memorised path - Project Mariner ships with exactly these warnings.[8] Treat these agents as capable-but-supervised, not autonomous. This mirrors the benchmark-versus-reality gap from the evaluation lesson.
- Grounding error. The model picks the right action but the wrong pixel, clicking a nearby link or an ad instead of the button it intended.
- Latency and cost. Every step is a full model call over a large image, so a ten-step task is ten screenshots and ten inferences. Computer-use agents are slow and token-heavy compared with an API call.
- Timing and dynamism. Pages load asynchronously. Act before content settles and the click hits stale layout, so the agent must wait, re-observe, and confirm state rather than fire actions blindly.
- Blockers. Cookie banners, captchas, infinite scroll, and popups sit between the agent and its goal, and each is a place a long task can stall or derail.
A mis-click has real effects - and prompt injection is the signature threat
The safety stack for a GUI agent
- Sandbox everything. A dedicated VM/container with minimal privileges and an empty environment, so the browser cannot inherit host secrets.[2]
- Allowlist domains and keep a human in the loop for consequential actions - payments, sending messages, deletion, anything touching ToS.[7]
- Injection classifiers that pause for user confirmation when a screenshot looks suspicious, plus
pending_safety_checkshandoffs for logins and CAPTCHAs.[2][3] - Prefer DOM for the web, pixels only when there is no API (desktop, canvas, legacy) - reliability follows from picking the right perception mode.[6]
- Verify end-to-end. Put the instruction text before the screenshot in the request (it improves click accuracy), and confirm outcomes with real browser checks, not assumptions.[2][9]
Check yourself
Match each concept to what it describes.
mapping an intent to exact pixel coordinates
acting through the DOM and accessibility tree
hidden instructions steering the agent
A pixel-based computer-use agent sees a screenshot and must click the "Save" button. Which part of this is the notorious, error-prone step?
A web agent can see a page as pixels or as the accessibility/DOM tree. In one line each, what does each approach gain, and what is it blind to?
What does each depend on to land an action? Try to state it, then check.
Lock it in
- It is the same loop with a universal tool. Screenshot (or accessibility tree) in, model decides, low-level UI action out, new screenshot. One model drives any app, no per-app API.
- The action space is small and converged: click, type, scroll, drag, key, wait, zoom, screenshot. Newer models add
zoomand higher-res captures to read small text. - Grounding is the hard problem. Mapping intent to exact pixels is error-prone; watch for coordinate drift on downscale, unreadable text, and finicky widgets (use keyboard shortcuts).
- Pixels versus DOM is the core architectural fork. Pixels work anywhere but are fragile and slow; DOM/accessibility tree is fast and reliable on the web but blind to canvas.
- Reliability is not there yet (OSWorld about 38%), and a mis-click is real. Sandbox, allowlist domains, keep a human in the loop, and defend against prompt injection.
Primary source
Computer use tool - Claude Platform DocsThe complete action space across beta versions, the agent-loop reference code, screenshot resolution and coordinate-scaling rules, the zoom action, effort tuning, and the built-in prompt-injection classifiers. The one page to read end-to-end.
Sources
- 1.Simon Willison, How coding agents work
- 2.Anthropic, Computer use tool (Claude Platform Docs)
- 3.OpenAI, Computer use tool guide (API docs)
- 4.OpenAI, Computer-Using Agent (CUA)
- 5.browser-use (GitHub)
- 6.Helicone, browser-use vs computer use vs Operator
- 7.OpenAI, Introducing Operator
- 8.Google DeepMind, Project Mariner
- 9.Anthropic, Effective harnesses for long-running agents