Skip to content

Applied Agents

Computer and browser use

Agents that click and type

A coding agent gets a purpose-built Agent-Computer Interface: clean tools for read, search, edit, run. But most software has no API and no clean tool - a legacy desktop app, a canvas UI, a website that only exists as pixels. Computer-use and browser agents close that gap by driving the GUI the way you do: look at the screen, decide, move the mouse, so one model can operate any application with no per-app integration. The catch is that "look at a screen and click the right pixel" is far harder and far less reliable than it sounds, and here a mis-click has real, irreversible effects.

The loop: perceive, decide, act, observe

A huge amount of real work has no endpoints: an internal admin panel, a vendor portal behind a login, a form that only exists in a browser. For those, the only interface is the one built for humans - the graphical one. closes that gap. Strip away the specifics and it is the same agent loop as everything else in this course - a model in a loop with a tool[1] - but the tool is unusual. Anthropic's Computer Use exposes a single schema-less computer tool: a screenshot goes in, a low-level UI action comes out.[2] The harness executes the action against the real display and returns a fresh screenshot, and the loop turns again.

Tap a node to see what it does.

The computer-use loop. The environment hands the model a screenshot (or an accessibility tree); the model grounds the target and emits one low-level action; the harness executes it and a fresh screenshot closes the loop. Swap the screenshot tool for a file-editor tool and this is exactly the coding-agent loop.

The reference harness is almost boringly small - the same "while there is a tool call, run it" skeleton from the agent loop:[2]

def sampling_loop(model, messages, max_iterations=10):
    for _ in range(max_iterations):
        response = client.beta.messages.create(
            model=model, max_tokens=4096, messages=messages,
            tools=TOOLS, betas=["computer-use-2025-11-24"],
        )
        messages.append({"role": "assistant", "content": response.content})
        tool_results = process_tool_calls(response)   # runs screenshot / click / type
        if not tool_results:
            return messages          # no tool call -> task complete
        messages.append({"role": "user", "content": tool_results})
    return messages                  # hit the safeguard limit
computer_agent.py - the sampling loop: keep calling the model, run each tool call, stop when no tool call comes back.

process_tool_calls dispatches on the action name - "screenshot" captures the display, "left_click" clicks input["coordinate"], "type" types input["text"] - and returns each result as a tool_result. OpenAI's API frames the same handshake with different nouns: the model returns a computer_call, your harness executes it and replies with a computer_call_output carrying the new screenshot (send it at full resolution, detail: "original", for click accuracy).[3]

State lives in the screen, not the model

Between turns the agent remembers nothing about the screen except the screenshots you feed back. A modal that opened, a field that got focus, a toast that already faded - if it is not in the latest image, the agent cannot reason about it.

The action space

The action space is the finite vocabulary of moves the model may emit - the GUI equivalent of a coding agent's tool list. Anthropic's computer tool grew it version by version, which is a nice map of what "operate a computer" actually requires:[2]

Beta versionActions addedWhy it matters
Basic (all)screenshot, left_click [x,y], type, key (e.g. ctrl+s), mouse_moveThe minimum to see, point, and type - enough to drive most forms.
Enhanced (2025-01-24)scroll, left_click_drag, right/middle_click, double/triple_click, mouse_down/up, hold_key, waitReal UIs need dragging, context menus, and waiting for pages to settle.
Newest (2025-11-24)zoom [x1,y1,x2,y2] - view a region at full resolutionLets the model read small text (line numbers, tab titles) it cannot resolve at screenshot scale - a direct fix for a grounding failure.
Anthropic's computer tool grew its action space version by version - a map of what operating a computer actually requires.

OpenAI's CUA returns a near-identical vocabulary: click, double_click, drag, scroll, type, keypress, move, wait, screenshot.[4] The action spaces have converged because the target - a human GUI - is the same.

Grounding: the hard problem

is turning "click the Save button" into the exact pixel (219, 168), and it is the reason these agents are fragile. The model has to localise a target in a raster image with enough precision to land inside a 36-pixel-tall button. Anthropic trains the model to reason about coordinates relative to reference points, but three grounding hazards recur:[2]

Grounding hazardWhat goes wrong
Coordinate driftIf you downscale a large screen before sending it, the model's coordinates are in scaled space. You must scale them back to real pixels, or every click lands off-target.
Unreadable small textScreenshots cap at ~1.15 MP on older models (up to 2576 px on newer ones); tiny labels blur out. The zoom action re-samples a region at full resolution to recover them.
Finicky widgetsDropdowns, scrollbars, and sliders are tiny hit-targets. The workaround is to prefer keyboard shortcuts over trying to mouse them precisely.
The three grounding hazards. Each is why zoom, higher-res captures, and keyboard-first interaction exist.

The 'assume success' failure mode

Left alone, computer-use models tend to assume the last action worked and barrel on - a wrong click compounds into a wrecked session. The standard mitigation is a loop discipline baked into the prompt: "After each step, take a screenshot and carefully evaluate whether you achieved the right outcome. Show your thinking. If not correct, try again."[2] This is just the verify-and-self-correct phase, forced to run on every turn because the environment gives no error message when you miss.

Two ways to see: pixels versus the accessibility tree

The whole field splits on how the agent perceives the page. One family reads pixels; the other reads the structure - the DOM or accessibility tree. This is the split between and general pixel-based computer use. Same task, two representations:

Pixel / vision agents - Computer Use, Operator/CUA

The model sees a screenshot and returns coordinates (left_click [512, 340]). It works on any GUI (desktop apps, canvas, legacy software) with no API - but grounding is error-prone, every step ships a full screenshot (slow, token-heavy), and it cannot see off-screen content.

DOM / accessibility-tree agents - browser-use

The harness extracts indexed elements and the model picks one by index (click(7)). Reading the page structure with Playwright[5], it needs no grounding, is faster and more reliable on the web, and can see hidden/off-screen nodes - but it is blind to anything drawn only as pixels (canvas, video, a screenshot inside the page).[6]

The map of who does what

  • Anthropic Computer Use - pixels. Schema-less computer tool in a sandbox (Xvfb virtual display, Firefox/LibreOffice pre-installed). Public beta since Oct 2024.[2]
  • OpenAI Operator / CUA - pixels. GPT-4o-class vision plus reinforcement learning, runs its own browser, hands control back for logins, payments, and CAPTCHAs.[4][7]
  • browser-use - DOM/accessibility tree. Open-source (MIT), model-agnostic (Claude, GPT, Gemini, local), click-by-index. Best for reliable web automation.[5]
  • Project Mariner (Google DeepMind) - multimodal. Gemini sees the Chrome tab, with "Teach & Repeat" (learn a workflow once, replay it) and up to ~10 tasks running at once.[8]

Browser use is more reliable and cheaper when the target is a web page, because the structure is already machine-readable. Pixel-based computer use is the universal fallback: it is the only option for native applications, but it inherits every difficulty of grounding intent in raw coordinates. Many production systems blend the two - lead with the DOM, fall back to pixels for a stubborn canvas or an embedded widget.

Reliability and safety: be honest about the limits

Benchmarks make the state of the art concrete, and cut through the demo hype. Read the last row carefully:

BenchmarkWhat it testsBest 2025 score
WebVoyagerLive-website tasks, end to end87% (CUA)[4] · 83.5% (Mariner)[8]
WebArenaRealistic multi-step web tasks58.1% (CUA)[4]
OSWorldFull computer use (any desktop app)38.1% (CUA)[4]
Curated web tasks look strong, but OSWorld is the honest number for general computer use.

Curated web tasks look strong, but OSWorld about 38% is the honest number for general computer use: most real desktop tasks still fail if you walk away. External sites block automation, CAPTCHAs stall the agent, and a small UI change derails a memorised path - Project Mariner ships with exactly these warnings.[8] Treat these agents as capable-but-supervised, not autonomous. This mirrors the benchmark-versus-reality gap from the evaluation lesson.

  1. Grounding error. The model picks the right action but the wrong pixel, clicking a nearby link or an ad instead of the button it intended.
  2. Latency and cost. Every step is a full model call over a large image, so a ten-step task is ten screenshots and ten inferences. Computer-use agents are slow and token-heavy compared with an API call.
  3. Timing and dynamism. Pages load asynchronously. Act before content settles and the click hits stale layout, so the agent must wait, re-observe, and confirm state rather than fire actions blindly.
  4. Blockers. Cookie banners, captchas, infinite scroll, and popups sit between the agent and its goal, and each is a place a long task can stall or derail.

A mis-click has real effects - and prompt injection is the signature threat

Unlike a chatbot, this agent acts on the world: it can send the message, submit the payment, or delete the file. Worse, the pixels and text it reads are untrusted input. A malicious web page or on-screen banner can carry instructions that hijack the agent - this is prompt injection, and "in some circumstances the model will follow commands found in content even when they conflict with your instructions."[2] There is no complete defense, only layers.

The safety stack for a GUI agent

  • Sandbox everything. A dedicated VM/container with minimal privileges and an empty environment, so the browser cannot inherit host secrets.[2]
  • Allowlist domains and keep a human in the loop for consequential actions - payments, sending messages, deletion, anything touching ToS.[7]
  • Injection classifiers that pause for user confirmation when a screenshot looks suspicious, plus pending_safety_checks handoffs for logins and CAPTCHAs.[2][3]
  • Prefer DOM for the web, pixels only when there is no API (desktop, canvas, legacy) - reliability follows from picking the right perception mode.[6]
  • Verify end-to-end. Put the instruction text before the screenshot in the request (it improves click accuracy), and confirm outcomes with real browser checks, not assumptions.[2][9]

Check yourself

Match each concept to what it describes.

drop here

mapping an intent to exact pixel coordinates

drop here

acting through the DOM and accessibility tree

drop here

hidden instructions steering the agent

A pixel-based computer-use agent sees a screenshot and must click the "Save" button. Which part of this is the notorious, error-prone step?

A web agent can see a page as pixels or as the accessibility/DOM tree. In one line each, what does each approach gain, and what is it blind to?

What does each depend on to land an action? Try to state it, then check.

Lock it in

  • It is the same loop with a universal tool. Screenshot (or accessibility tree) in, model decides, low-level UI action out, new screenshot. One model drives any app, no per-app API.
  • The action space is small and converged: click, type, scroll, drag, key, wait, zoom, screenshot. Newer models add zoom and higher-res captures to read small text.
  • Grounding is the hard problem. Mapping intent to exact pixels is error-prone; watch for coordinate drift on downscale, unreadable text, and finicky widgets (use keyboard shortcuts).
  • Pixels versus DOM is the core architectural fork. Pixels work anywhere but are fragile and slow; DOM/accessibility tree is fast and reliable on the web but blind to canvas.
  • Reliability is not there yet (OSWorld about 38%), and a mis-click is real. Sandbox, allowlist domains, keep a human in the loop, and defend against prompt injection.

Primary source

Computer use tool - Claude Platform Docs

The complete action space across beta versions, the agent-loop reference code, screenshot resolution and coordinate-scaling rules, the zoom action, effort tuning, and the built-in prompt-injection classifiers. The one page to read end-to-end.

Sources

  1. 1.Simon Willison, How coding agents work
  2. 2.Anthropic, Computer use tool (Claude Platform Docs)
  3. 3.OpenAI, Computer use tool guide (API docs)
  4. 4.OpenAI, Computer-Using Agent (CUA)
  5. 5.browser-use (GitHub)
  6. 6.Helicone, browser-use vs computer use vs Operator
  7. 7.OpenAI, Introducing Operator
  8. 8.Google DeepMind, Project Mariner
  9. 9.Anthropic, Effective harnesses for long-running agents