I honestly don't think anyone starred, watched or forked it because it was a person with cancer. They starred it because it's a good app. One that is missing on macOS.
Today, I used it to weed out hundreds of Linkedin "followings" with Safari. worked like a champ. It does very well at coding tasks too and automating Xcode builds.
The goal to emphasize that it was built for macOS26 users.
The original website is https://agent.macOS26.app and it clear states it's for macOS26 even thought I still get users asking if it works with El Cap a tan.
A little of both. System prompt guidance with programming structured flow undearneath the hood. May add more guardrails but the more you put in place the more the AI/LLM will find another way.
I've locked down Agent! from one of its processes and run it in a VM and it tried everything it could to break out. It couldn't but it was fun watching it trying to resign compiled Dylibs, the Launch Agents / Daemons and itself. Because of SMAppService, it lost connection with its background process and once it basically hosed itself, I ended the experiment.
The Launch Daemon is 100% optional and can better turned off along with its tools. It's there to help users install things like software updates or disk commands that required elevated access.
It operates under least priv. And the user must approve the Launch Agent (runs under use space, same as running locally within the App), and the Launch Daemon. There are 4 levels involved and the Daemon is last on the list and is rarely used. The user can just disable it and its tools get disabled as well. The LLM won't be able to use it in that state.
What gets used:
1. AppleScript/Osascript TCC, runs within the app, user approve each app being automated
2. AgentScript/Swift Dylibs/ScriptingBridge, same TCC runs within the app
3. Local shell scripting - backup if the user's Launch Agent (user space is down
4. Launch Agent (runs in the user space), primary for running shell commands.
5. Launch Daemon, software updates, etc. Anything the previous 4 layers can't handle. Rarely ever used. can be turned off by the user. I have used it to access the security of the Mac itself and it was surprisingly accurate and thorough.
I can totally agree on the harness part. When I first set out to create a Cursor killer nearly 3 years ago, I built LLM tools, but when I didn't know then has I tried to wrap the LLM's brain around the tools when it needed to be the other way around.
Looks me off an on three years to realize I was doing it backwards. Agent was originally born after I re-wrote CloneTool, a more generic Disk Cloning too with an SMAppService Launch Daemon.
After I completed CloneTool, I was like mmmmm what is I connected an LLM to the Daemon? It rattled of 50 things it could do and it had no knowledge of this anywhere in the harness, system prompt or tools. It simply had figured out its environment on its own.
I never ran Agent under that scenario it definitely has a hardness now. And yes getting the hardness right is a number one challenge and once you do get it working good with most LLMs out of the box, you try not to change it because that sweet spot is hard to come by. Not to say it never gets tweaked but the further in you go, the more you chringe on a change that may break it.
