AI Agent Security on Mac: The Complete Guide for 2026

I use Claude Code every single day to build CoreLock. AI agents are genuinely the future of productivity — I'm not being hyperbolic. The amount of work I ship now compared to two years ago is absurd. But AI agents are also the biggest shift in personal computer security since we started connecting to the internet, and I don't think most people have caught up to that reality yet.

This guide covers everything you need to know about running AI agents safely on your Mac. Whether you're using OpenClaw, Claude Code, MCP tools, or custom agents you've built yourself, the threat model is fundamentally the same. And the defenses are more straightforward than you might expect.

What Are AI Agents?

If you've landed here and you're not deep in the AI space, let me give you the quick version. AI agents are software that use large language models (like Claude, GPT, or open-source alternatives) to take actions on your computer — not just generate text, but actually do things.

OpenClaw is the biggest name right now. Open-source, over 150,000 GitHub stars, and it can browse the web, send emails, run Terminal commands, manage your calendar, and automate almost anything on your Mac. Think of it as giving an AI intern the keys to your entire machine.

Claude Code is Anthropic's coding agent. It runs in your Terminal, reads and writes files across your codebase, executes shell commands, and can manage entire development workflows. It's what I use to build CoreLock, and it's remarkably capable.

MCP (Model Context Protocol) is the protocol that lets AI agents connect to external tools — databases, APIs, messaging services, file systems, email providers. MCP is what turns a chatbot into an agent. Any MCP server you connect gives the agent a new set of capabilities, and a new set of potential attack surfaces.

Then there are custom agents built with frameworks like LangChain, CrewAI, and AutoGen. If someone on your team built an AI automation that runs locally, it falls into this category.

What all of these have in common: they run on your Mac, with your permissions, and they can take actions autonomously. That last part is the important bit.

How AI Agents Access Your Mac

To understand the security implications, you need to understand the access chain. When you run an AI agent on your Mac, here's what's actually happening:

Terminal access. Most agents run inside Terminal.app or a similar shell. Whatever commands you can run, the agent can run. That includes rm -rf, curl to any server, ssh to remote machines, sudo if it knows your password. There's no privilege separation between you typing a command and an agent typing one.

File system access. Agents can read, write, and delete any file your user account has access to. Your documents, your SSH keys, your .env files with API keys, your browser history, your password manager exports. If it's on your disk and not protected by Full Disk Access restrictions, it's accessible.

Network access. Every agent makes HTTP requests — at minimum to the LLM API it's calling, but usually to many more endpoints. An agent processing web pages, sending emails, or calling APIs is making outbound connections that your Mac's firewall won't block (the firewall only handles incoming connections).

macOS permissions. Here's where it gets subtle. When an agent runs inside Terminal, it inherits whatever permissions Terminal has been granted. If Terminal has Full Disk Access, so does the agent. If it has Accessibility permissions, the agent can control your UI. If it has Screen Recording access, the agent can see everything on your display.

MCP tools. Each MCP server you connect extends the agent's reach. A Slack MCP server gives it access to your workspace. A file system MCP server gives it access to specific directories. A database MCP server gives it query access. These all compound.

The access chain looks like this: You give the agent a task. The agent decides which tools and commands to use. Those tools inherit your macOS permissions. And each action happens at machine speed, with minimal human oversight.

The AI Agent Threat Model

I've been building security software for two years. Here are the six threat categories I think about most when it comes to AI agents.

1. Prompt Injection

This is the single biggest risk, and the one least understood by most users. Prompt injection is when malicious instructions are hidden inside content that an AI agent processes — an email, a web page, a PDF, a chat message, a code comment.

The agent reads the content, interprets the hidden instructions as legitimate commands, and executes them. It's not a bug in the agent. It's a fundamental limitation of how language models process text — they can't reliably distinguish between "content to analyze" and "instructions to follow."

This isn't theoretical. CrowdStrike documented cases where hidden instructions in Discord messages caused agents to leak private conversations. There have been prompt injection attempts designed to drain cryptocurrency wallets, embedded in emails that agents were asked to summarize. We covered real-world incidents in detail in our AI agent gone rogue post.

2. Supply Chain Attacks

Agents depend on ecosystems of skills, plugins, MCP servers, and third-party tools. If any of these are malicious or compromised, the agent becomes a delivery mechanism for the attack.

OpenClaw's skill marketplace, npm packages for MCP servers, GitHub repos for custom tools — all of these are supply chain vectors. A skill that looks helpful could be exfiltrating your files in the background. An MCP server could be logging every query you send through it. We did a full analysis of this attack surface in malicious OpenClaw skills and supply chain attacks.

3. Data Exfiltration

An agent with network access and file system access can send your data anywhere. Your .env files with API keys, your SSH private keys, your browser cookies, your source code — all of it can be packaged and sent to an external server with a single curl command.

The scary part is that this can happen as a side effect of prompt injection. The agent doesn't intend to exfiltrate your data. It's just following instructions it found embedded in a document it was processing. If you're curious about what your Mac is sending over the network right now, we have a guide on checking for unauthorized data transmission.

4. Unmonitored Process Spawning

When an agent runs a shell command, it spawns a child process. That process might spawn its own children. A single agent task — like "set up a development environment" — could create dozens of processes: package installations, script executions, background services, build tools.

Without process monitoring, you have no idea what's running. A compromised command could install a persistent daemon, open a reverse shell, or create a hidden background process that outlives the agent session. I've seen agents leave behind processes that were still running hours after the user closed the agent.

5. Permission Accumulation

Over time, the tools in your AI agent stack accumulate macOS permissions. Terminal gets Full Disk Access. The browser automation tool gets Accessibility and Screen Recording. The messaging bridge gets microphone access. The MCP file server gets permission to specific directories.

Each of these permissions persists indefinitely. They don't expire when the agent stops running. And any tool in the chain, if compromised later, inherits all of those permissions. This is the same permission creep problem that affects all Mac apps, but AI agents accelerate it dramatically because they require so many supporting tools.

6. Persistence Installation

This is the one that keeps me up at night. A compromised agent can install a LaunchAgent — a plist file that tells macOS to run a program every time you log in. The agent creates the file, and even after you close the agent, the malicious program runs on every reboot.

LaunchAgents live in ~/Library/LaunchAgents/ and require no special permissions to create. Your agent already has file system access. Creating a persistence mechanism is trivial.

ls -la ~/Library/LaunchAgents/

If you see plist files you don't recognize, open them and check the ProgramArguments key to see what they're actually launching.

What macOS Protects You From (And What It Doesn't)

Apple has built genuinely strong security primitives into macOS. But they were designed for a world where humans launch apps and interact with them manually. AI agents break that model.

What macOS handles well:

• Gatekeeper blocks unsigned or unnotarized apps from running. This catches a lot of traditional malware.
• XProtect scans for known malware signatures and removes them automatically.
• SIP (System Integrity Protection) prevents modification of critical system files, even by root.
• TCC (Transparency, Consent, and Control) requires explicit user permission before apps can access the camera, microphone, files, and other sensitive resources.

What macOS does NOT protect you from:

• What a trusted app does after being granted permissions. TCC is a gate, not a guard. Once Terminal has Full Disk Access, macOS doesn't monitor what Terminal does with it.
• Prompt injection effects. macOS has no concept of "an AI agent was tricked by hidden instructions in a PDF."
• Process monitoring. macOS doesn't alert you when a new background process spawns, even if it was created by an agent.
• Outbound network monitoring. The built-in firewall blocks incoming connections. Outgoing data goes unchecked.
• Behavioral analysis. There's no macOS mechanism that says "this app is behaving differently than it usually does."

The gap between what agents can do and what macOS can monitor is where the risk lives. We covered the full macOS security stack — and its limits — in our antivirus guide.

The Complete AI Agent Security Checklist

Here's the practical part. I run through some version of this every time I start and stop an agent session. It takes a few minutes, and it's the difference between working with confidence and working blind.

Before Running an Agent

1. Review your host app's permissions.

Check what permissions Terminal (or whatever app runs your agent) currently has:

Go to System Settings > Privacy & Security and look for your host app under Full Disk Access, Accessibility, Screen Recording, and Input Monitoring. If Terminal has permissions it doesn't need for the task at hand, consider revoking them temporarily.

2. Check what MCP tools and skills are installed.

For Claude Code, review your MCP configuration:

cat ~/.claude/settings.json | grep -A 5 "mcpServers"

For OpenClaw, check installed skills:

ls ~/.openclaw/skills/

Every tool connected is a potential attack surface. Remove anything you're not actively using.

3. Baseline your process count.

ps aux | wc -l

Write down the number. You'll compare after the session.

4. Baseline your network connections.

lsof -i -P | grep ESTABLISHED | wc -l

Same thing. Know what's connected now so you can spot new connections later.

During Agent Sessions

5. Don't ask agents to process untrusted content.

This is the single most important behavioral change. If someone emails you a document and you don't know them, don't ask your AI agent to summarize it. That's the primary prompt injection vector. Open it yourself first. Read it. If it looks normal, then feed it to the agent.

Same with web pages. If someone posts a link in a Discord server or Slack channel, open it in your browser first. Don't paste it directly into an agent prompt.

6. Be cautious with MCP servers from untrusted sources.

Only connect MCP servers from sources you trust. Review the source code before connecting. An MCP server is arbitrary code running on your machine with access to whatever resources it requests. Treat it like installing a new app, because that's essentially what it is.

7. Review agent actions before confirming.

If your agent has a confirmation mode — Claude Code does, for example — actually read what it's about to do before you approve. Don't just spam "yes" through the prompts. I know it's tempting. I've done it. But one malicious command you approve is all it takes.

After Agent Sessions

8. Compare your process count.

ps aux | wc -l

If it's significantly higher than your baseline, investigate the new processes:

ps aux | tail -20

9. Check for new LaunchAgents.

ls -la ~/Library/LaunchAgents/
ls -la /Library/LaunchAgents/

New plist files that appeared during your agent session deserve scrutiny. Open any unfamiliar ones and check what they launch.

10. Check network connections.

lsof -i -P | grep ESTABLISHED

Look for connections to IPs or domains you don't recognize. If something is connecting to a server you've never heard of, look it up.

11. Review what files were modified.

Create a timestamp file before your session starts, then use it to find changed files:

touch /tmp/agent-session-start
# ... run your agent session ...
find ~ -newer /tmp/agent-session-start -type f -not -path "*/Library/Caches/*" | head -50

This shows every file created or modified during the session. Ignore caches and logs — focus on unexpected files in unexpected locations.

12. Run a comprehensive scan.

Activity Monitor, lsof, ps, and find each give you a piece of the picture. Running all of them manually after every session isn't sustainable. That's genuinely why I built CoreLock — to consolidate process monitoring, network tracking, permission auditing, and behavioral analysis into a single 60-second scan. But whether you use CoreLock or do it manually, the point is the same: check what changed.

Tool-Specific Security Tips

OpenClaw

OpenClaw's power comes from its tool ecosystem, which is also its biggest security surface. A few specific recommendations:

• Review skills before installing them. Read the source code. Check when it was last updated and by whom. A skill with 3 stars and no reviews is a gamble. We covered this in depth in our supply chain attack analysis.
• Set memory to manual mode. OpenClaw's auto-memory stores context between sessions, which means a prompt injection in one session can persist into future sessions. Manual mode lets you control what gets saved.
• Use the permission system. OpenClaw has built-in permission controls for limiting which tools an agent can access per task. Use them. Don't grant blanket access.
• Monitor during sessions. While OpenClaw is running, check what processes it's spawning:

ps aux | grep -i claw

Claude Code

I use Claude Code daily, so I know its security model well. It's more locked down than OpenClaw by default, but it still deserves attention.

• Review permission settings. Claude Code's configuration lives in .claude/settings.json. Check what's enabled, especially which MCP servers are connected and what permissions they've been granted.
• Use the built-in permission prompts. Claude Code asks before running shell commands, writing files, and using tools. Don't auto-approve everything. Read what it's about to do. I know this slows you down. Security always has a cost.
• Keep it updated. Claude Code has had CVEs in the past. Make sure you're on the latest version. Run claude update regularly.
• Be aware of MCP servers. Every MCP server connected to Claude Code extends its capabilities — and its attack surface. Only connect what you need for the current project.

MCP Tools

MCP is the protocol that turns AI models into agents. Each MCP server is essentially a plugin that gives the agent new capabilities. Security considerations:

• Only connect servers you trust. An MCP server is arbitrary code running on your machine. Vet it like you'd vet any software you install.
• Review the source code. Most MCP servers are open source. Read the code, especially the parts that handle file system access, network requests, and shell commands.
• Be especially careful with file system and network MCP servers. These give the agent the broadest access. A file system MCP server can read your SSH keys. A network MCP server can send data anywhere.
• Audit regularly. MCP servers don't show up in System Settings. You need to check your agent's configuration to know what's connected.

Monitoring Tools

You don't have to go it alone. Here's what's available for keeping tabs on AI agent activity.

Built-in macOS Tools

• Activity Monitor (Applications > Utilities) — basic process monitoring. Sort by CPU or network to spot anomalies. Useful but manual and point-in-time.
• Console.app — system logs. Helpful for investigating after something goes wrong, but not practical for real-time monitoring.
• Terminal commands — lsof for network connections, ps for processes, netstat for network stats, fs_usage for file system activity. Powerful but fragmented.
• System Settings > Privacy & Security — the only way to audit macOS permissions. Good for manual reviews but doesn't alert you to changes.

Third-Party Tools

• Little Snitch / LuLu — outbound network monitoring. These show you every network connection an app makes and let you block specific ones. LuLu is free and open-source. Essential if you're running agents regularly.
• Objective-See tools — Patrick Wardle's free Mac security tools. BlockBlock monitors for persistence mechanisms (LaunchAgents). OverSight monitors camera and microphone access. These are excellent and free.
• CoreLock — this is what I built, so I'm biased, but I built it specifically for this use case. CoreLock combines process monitoring, network tracking, permission auditing, and AI-powered behavioral analysis in one scan. It maps kernel-level processes, tracks network connections, audits every macOS permission, and uses machine learning to detect behavioral deviations from your baseline.

The free tier gives you 3 scans per day. My recommendation: run one before your agent session, one after. That gives you a clear before/after picture of what changed. Pro gives you unlimited scans for continuous monitoring, which is what I use during long development sessions with Claude Code.

Why I Built CoreLock With AI Agents in Mind

I want to be transparent about this. When I started building CoreLock, the AI agent wave was just beginning. OpenClaw didn't exist yet. Claude Code was brand new. But I could see where things were heading — more autonomous software, more tools with deep system access, more activity happening faster than humans could manually review.

CoreLock was designed for exactly this gap. Traditional antivirus scans files for known malware signatures. That's not the threat model anymore. The threat model is: a trusted application, running with legitimate permissions, taking actions directed by an AI that might have been manipulated by hidden instructions in an email.

You need behavioral analysis for that. You need to know what "normal" looks like on your machine so you can spot when something deviates. You need process trees, not just process lists. You need to see network connections mapped to the processes that created them, not just a flat list of open ports.

The free tier gives you all of that, three times a day. That's enough for most people who run agent sessions occasionally. If you're running agents all day like I do, Pro is designed for continuous coverage. Either way, the goal is the same: you should be able to see what your AI agents are actually doing on your machine.

Check out our full feature breakdown or visit our best-for AI agent users page for a focused overview of how CoreLock handles the agent security use case.

The Future of AI Agent Security

The honest truth is that the industry is still figuring this out. We're in the early innings of AI agent security, and the standards are evolving fast.

MCP is maturing as a protocol, and I expect it will develop stronger security primitives — permission scoping, sandboxing, audit logging. OpenClaw and Claude Code are both actively improving their permission models. The AI labs are investing in prompt injection defenses, though we're still far from a complete solution.

But here's my view on where things need to go: we need runtime monitoring, not just gatekeeping. macOS's security model — check at install time, trust afterward — doesn't work for software that takes autonomous actions. We need tools that watch what's happening in real time, establish baselines, and flag deviations.

That's the approach CoreLock takes, and I believe it's where the entire industry will end up. The question is how much damage gets done in the meantime by people running powerful agents without any visibility into what those agents are doing.

How to Protect Your Mac — The Full Picture

AI agent security doesn't exist in a vacuum. It's one layer of a broader Mac security posture. If you haven't already, I'd strongly recommend reading through our complete Mac security guide — it covers FileVault, firewall configuration, permission audits, and twelve other steps that form the foundation everything in this guide builds on.

For the AI-agent-specific concerns, the resources that go deeper on each topic:

• OpenClaw security risks on Mac — detailed analysis of OpenClaw's threat surface
• AI agent gone rogue: real incidents and lessons — documented cases of agent misbehavior
• Supply chain attacks through OpenClaw skills — how malicious tools get distributed
• Hidden processes running on your Mac — finding and investigating background processes
• Apps with camera access — auditing macOS permissions
• Is your Mac sending data without permission? — checking for data exfiltration
• Do Macs need antivirus in 2026? — understanding macOS built-in protections

Conclusion

AI agents are here to stay. I use them every day, and I'm shipping better software because of it. The question isn't whether to use them — that ship has sailed. The question is how to use them without giving up visibility into what's happening on your own machine.

The threat model is new. Prompt injection, supply chain attacks through skill marketplaces, permission accumulation across tool chains, autonomous process spawning — none of these existed five years ago. macOS's security model wasn't designed for them, and most users aren't thinking about them.

But the defenses are not complicated. Audit your permissions. Monitor your processes. Check your network connections. Know what "normal" looks like so you can recognize when something isn't. And use tools — whether it's lsof and ps in your Terminal, LuLu on your network, or CoreLock for the full picture — to close the gap between what your agents can do and what you can see them doing.

That gap is where the risk lives. Close it.