A new MCP server called mcp-osascript is pushing the boundaries of what AI agents can do on macOS by giving Claude direct access to your machine's GUI layer. The project, created by developer m0rvayne and spotted on Hacker News this week, lets you prompt Claude to open apps, click menus, resize windows, read clipboard contents, manage browser tabs in Safari/Chrome/Arc, and even simulate keyboard input—all through 12 typed tools with real input validation.
What You Can Actually Do With It
Once installed (a simple npm/npx setup added to your Claude Desktop config), you get a surprisingly complete toolkit. Ask Claude to 'Open Safari and show me what tabs I have' and it launches the browser, reads every tab's title and URL, then reports back. Tell it to 'Move the Finder window to the left half of my screen' and it resizes and repositions the window using macOS accessibility APIs. The list goes on: type text into any active field (up to 500 characters), trigger keyboard shortcuts like Cmd+Shift+4 for screenshots, launch or focus apps by name, display native notification banners, and—crucially—introspect or click menu items in any application.
The Self-Healing Menu Trick
Here's where it gets interesting from a systems design perspective. When Claude tries to click a menu item that doesn't exist—like asking for 'Export as PDF' when the actual menu says 'Export as PDF...'-the server catches the error and returns the full list of available items at that menu level. Claude then retries with the correct name automatically. No other MCP server in this space has figured out this self-correction loop, and it's a genuinely clever pattern for dealing with UI drift across app versions.
Security Architecture Matters
The project doesn't just work—it works securely. Scripts execute via stdin piping to /usr/bin/osascript (no temp files, no TOCTOU race conditions). Child processes get a stripped environment: PATH, HOME, LANG only—no API keys or secrets leak out. URL schemes are allowlisted to http/https/mailto; file://, smb://, vnc://, and javascript: are all blocked. Script size caps at 50KB, output truncates at 50K characters, and handler dispatch uses Object.create(null) for prototype pollution protection. The concurrency semaphore limits simultaneous osascript processes to 5, and process group kill handles timeouts gracefully with SIGTERM → 2-second grace period → SIGKILL.
How It Stacks Up
Comparing mcp-osascript against the two other AppleScript MCP servers on GitHub (steipete at 824 stars and peakmojo at 463 stars), this newcomer stands out. It offers 12 typed tools versus generic implementations, proper URL scheme allowlisting that its competitors lack entirely, environment isolation instead of inheriting full process.env, prototype pollution protection, and self-correcting menu clicks. Most impressively, it ships with 41 integration tests covering input validation, security boundaries, timeout enforcement, and permission error handling—where the alternatives have zero.
Key Takeaways
- mcp-osascript gives Claude direct GUI control: windows, menus, keyboard input, browser tabs across Safari/Chrome/Arc
- Self-correcting menu clicks let Claude recover from wrong item names automatically—no manual retry needed
- Security-first architecture with stdin piping, env isolation, prototype pollution protection, and URL allowlisting
- 41 integration tests make this one of the most thoroughly tested MCP servers in the ecosystem
The Bottom Line
This is exactly the kind of infrastructure the AI agent ecosystem needs—tools that are actually useful AND secure by default. The self-healing menu pattern alone is worth studying; it's a clean solution to a real problem every GUI-automation developer faces. If you're building anything involving Claude controlling macOS, this belongs in your stack.