ClawdCursor
официальныйthe local MCP server for safe desktop control
Clawd Cursor
Eyes, hands, and a keyboard for any AI agent on a real desktop.
Any model. Any app. One MCP entry. Local-only.
Quickstart · Why · How it thinks · Tools · Platforms · Changelog · SKILL.md (AI-facing manual)
AI agents looking for the machine-readable manual: open
SKILL.md. This README is the human pitch; SKILL.md is the dense second-person doc written for an LLM.
Clawd Cursor is a skill, not an app. Install it once. Any tool-calling agent on the machine — Claude Code, Cursor, Windsurf, OpenClaw, Claude Agent SDK, your own loop — picks up the tools through MCP. The agent then clicks, types, reads the screen, opens apps, and drives any GUI the same way a human would.
If a human can do it on a screen, your AI can do it too. No API? No integration? No problem.
No task is impossible. GUI plus a mouse plus a keyboard equals everything you need. There is no "I can't do that in this app" — only the right sequence of reads, clicks, keys, and waits. Clawd Cursor gives you all of them.
It's model-agnostic (Claude, GPT, Gemini, Llama, Kimi, Ollama, …), app-agnostic (drives any window via accessibility, OCR, or vision fallback), and OS-agnostic (one PlatformAdapter covers Windows, macOS, Linux X11, and Linux Wayland).
Use as a fallback, not first choice. Native API exists? Use it. CLI exists? Use it. Direct file edit possible? Do that. A Playwright script already wired up? Use that. Clawd Cursor is for the last mile — the click, the legacy app, the GUI with no public surface.
Quickstart
Sixty seconds from zero to a tool-calling agent on your desktop.
Pick your mode first:
| Your situation | Use | Why |
|---|---|---|
| AI lives in your editor (Claude Code, Cursor, Windsurf, Zed) | clawdcursor mcp | stdio MCP server. Editor spawns it on demand. No daemon, no port. |
| You're building an agent that runs unattended | clawdcursor agent | HTTP MCP daemon on 127.0.0.1:3847. Has its own LLM brain optionally configured via doctor. |
| Your agent has its own brain — you just want the tools as an HTTP endpoint | clawdcursor agent --no-llm | Same daemon, no built-in pipeline, no scheduler startup, no credential validation. Pure tool surface. |
Windows (PowerShell):
irm https://clawdcursor.com/install.ps1 | iex
macOS / Linux:
curl -fsSL https://clawdcursor.com/install.sh | bash
Then verify and configure:
clawdcursor --version # smoke-test the install
clawdcursor consent --accept # one-time desktop-control consent (required)
clawdcursor status # cross-check permissions + AI config
clawdcursor doctor # (optional) configure an LLM provider end-to-end
clawdcursor agent # OR clawdcursor mcp — see the table above
The installer clones into ~/clawdcursor, runs npm install, builds, and npm links a global shim. Runtime state lives at ~/.clawdcursor/ (auth token, pidfiles, logs). It does not edit any agent host config — that step is below.
Wire it into Claude Code, Cursor, Windsurf, or Zed:
// ~/.claude/settings.json (or your editor's MCP config) { "mcpServers": { "clawdcursor": { "command": "clawdcursor", "args": ["mcp", "--compact"] } } }
That's it. Ask your agent to "open Outlook and reply to the latest email from Sarah" and watch it run.
macOS: run
clawdcursor grantto walk through Accessibility + Screen Recording permissions.Linux: installtesseract-ocr,python3-gi,gir1.2-atspi-2.0, and (Wayland only)ydotoolorwtype.
Why Clawd Cursor
- Works where APIs don't exist. Native apps. Legacy enterprise tools. Web portals behind SSO that block headless browsers. Anything inside Citrix or RDP. If pixels reach the screen, your agent can drive it.
- Model-agnostic. Claude, GPT, Gemini, Llama, Kimi, anything local via Ollama — any tool-calling LLM. Text and vision can be different models from different vendors.
- App-agnostic. No per-app plugins, no per-service auth. The same six compound tools drive Outlook, Figma, your bank, and that 2003-era ERP.
- Cheapest-tier-first pipeline. Accessibility tree (free) before OCR (cheap) before screenshot (medium) before vision (expensive). The Reflector feeds verifier signals back to the planner so it doesn't keep paying for vision when text would work.
- Local-only by default. Server binds to
127.0.0.1. Screenshots stay in RAM unless you point a cloud model at them. No telemetry. - One protocol, two transports. MCP over stdio for editor hosts; MCP over HTTP for daemons. Same tool catalog, same JSON-RPC envelope.
How It Thinks
Every tool call — whether it arrives over stdio MCP, HTTP MCP, or the built-in autonomous loop — flows through the same decision layer. The pipeline picks the cheapest rung that works and only escalates when the verifier disagrees with the planner's claim of success.
flowchart LR
user["User task"] --> pre["Preprocessor
(strategy + subtasks)"]
pre --> router["Router
(regex shortcuts, zero LLM)"]
router -- match --> tool["safety.evaluate()
→ tool"]
router -- miss --> blind["Blind
(a11y tree only)"]
blind --> tool
blind -- sparse a11y / stagnation --> hybrid["Hybrid
(a11y + screenshot on demand)"]
hybrid --> tool
hybrid -- still stuck --> vision["Vision
(screenshot every turn)"]
vision --> tool
tool --> verifier{"Ground-truth
verifier"}
verifier -- pass --> done["done"]
verifier -- fail --> reflector["Reflector
(structured cause + suggested strategy)"]
reflector -. feedback .-> pre
reflector -. hint .-> blind
reflector -. hint .-> hybrid
reflector -. hint .-> vision
classDef rung fill:#0ea5e9,stroke:#0369a1,color:#fff;
classDef gate fill:#a855f7,stroke:#6b21a8,color:#fff;
classDef refl fill:#eab308,stroke:#854d0e,color:#000;
class router,blind,hybrid,vision rung;
class tool,verifier gate;
class reflector refl;
Single safety chokepoint. Every tool call — direct or autonomous — routes through safety.evaluate(). The agent cannot bypass this path; it is the only way tools execute.
Ground-truth verification. When the agent claims a task is done, six independent signals are checked against the post-task screen: pixel diff, window-state change, focus change, OCR delta, task-type assertions (send_email, navigate_url, open_app, …), and anti-pattern detection (error dialogs, auth failures, "draft saved"). Weighted voting with hard-fail rules. No LLM self-report.
Reflector loop. On a verifier fail, the Reflector emits a structured Cause (e.g. wrong_window_focused, modal_intercept, a11y_target_missing, webview_blind) plus a suggested next strategy. The pipeline ladder consumes that signal to override its default escalation, and a one-line hint is injected as a synthetic tool_result so the planner understands why it's escalating.
Runaway guard. Three identical calls in six turns and the loop exits with a targeted diagnostic — usually pointing at detect_webview when the target is Electron or WebView2 with a sparse accessibility tree.
Transports
One protocol — MCP — two transports. Same catalog, same JSON-RPC envelope.
| Transport | When to use | Client config |
|---|---|---|
| stdio MCP | Editor hosts: Claude Code, Cursor, Windsurf, Zed. Tools appear on demand — no daemon. | {"command": "clawdcursor", "args": ["mcp", "--compact"]} |
| HTTP MCP | Bring-your-own-agent, headless daemons, multi-process orchestration, Claude Agent SDK. POST JSON-RPC to http://127.0.0.1:3847/mcp. | Run clawdcursor agent. Then tools/list returns the catalog and tools/call invokes any tool. Bearer token at ~/.clawdcursor/token. |
Both transports are stateless. No session-init handshake. Bearer-token auth on every HTTP request; stdio inherits the parent process's trust.
HTTP MCP — list tools
curl -s -X POST http://127.0.0.1:3847/mcp
-H "Authorization: Bearer $(cat ~/.clawdcursor/token)"
-H "Content-Type: application/json"
-d '{"jsonrpc":"2.0","id":1,"method":"tools/list"}'
Tool Surface
Two catalogs, side by side. Agents pick the shape that fits.
Compact — 6 compound tools (recommended)
Anthropic computer_20250124-style: one tool per capability, an action enum for the verb. The compact catalog is roughly an order of magnitude smaller than the granular surface, which keeps small models (Haiku, Kimi, Ollama) focused on the action choice instead of drowning in primitives. Default for every agent that doesn't explicitly need one schema per primitive.
| Tool | Most-used actions |
|---|---|
| computer | screenshot, click, double_click, right_click, triple_click, hover, scroll, scroll_horizontal, drag, drag_path, type, key, wait |
| accessibility | read_tree, find, get_element, focused, invoke, focus, set_value, get_value, expand, collapse, toggle, select, state, list_children, wait_for |
| window | list, active, focus, maximize, minimize, restore, close, resize, list_displays, screen_size, open_app, open_file, open_url, switch_tab, navigate |
| system | clipboard_read, clipboard_write, system_time, ocr, undo, shortcuts_list, shortcuts_run, delegate, detect_webview, relaunch_with_cdp, app_guide, detect_app, classify_task, system_prompt |
| browser | connect, page_context, read_text, click, type, select_option, evaluate, wait_for, list_tabs, switch_tab, scroll |
| task | {instruction: string} — hand off the whole task to the pipeline. No action enum. |
Granular — 97 individual tools
One schema per verb. Use this when your runtime requires every primitive as a top-level tool. The full catalog is visible through MCP tools/list on either transport.
A typical turn:
// Compact — recommended computer({ action: "key", combo: "mod+s" }) // resolves to Cmd+S / Ctrl+S accessibility({ action: "invoke", name: "Send" }) window({ action: "open_app", name: "Outlook" }) system({ action: "ocr" }) // OS-level OCR, no LLM vision task({ instruction: "open Notepad and type hello" }) // full pipeline
Guides Marketplace
For unfamiliar apps, the agent reasons from screenshots and the a11y tree — slow but always works. For popular apps, community-curated guides ship the keyboard shortcuts, workflow patterns, layout cues, and failure modes the agent would otherwise have to discover by failing first. Loading a guide for an app it knows speeds operation 5–10×.
- Public registry + source repo: https://github.com/AmrDab/clawdcursor-guides — community PRs welcome
- Verified seed guides: discord, excel, figma, gmail, mspaint, olk (new Outlook), outlook, slack, spotify, youtube
- Bundled core (offline fallback): msedge, notepad
Guides are fetched on demand, cached locally for 7 days, LRU-evicted at 50 entries. The cache lives at ~/.clawdcursor/guide-cache/. The agent never blocks on the network — if a guide isn't local and the registry is unreachable, it falls back to first-principles reasoning.
clawdcursor guides available # browse the public registry clawdcursor guides install youtube # pre-warm cache for one app clawdcursor guides list # show cached + ratings clawdcursor guides info youtube # details for one cached guide clawdcursor guides refresh youtube # force re-fetch clawdcursor guides submit my-app.json # lint + print PR instructions
Every guide passes through a client-side linter on every load — schema check + prompt-injection patterns + dangerous-prose detection. A guide that fails lint is dropped and the agent falls back to no-knowledge, never poisoned-knowledge. Same linter runs as the registry's CI check on every PR.
Voting: each guide has a vote: <app> issue on the source repo. React 👍 / 👎. A nightly job aggregates reactions into index.json so clawdcursor guides list shows ratings.
See docs/guide-marketplace.md for the full architecture, trust model, and CI flow.
Cost Tiers
The pipeline picks the cheapest rung that works. Apply the same logic when you call compound tools by hand.
| Tier | Label | Cost | Source | When to use |
|---|---|---|---|---|
| T1 | structured | ~free | accessibility.*, window.*, browser.read_text, clipboard | Default. Returns text + bounds — no image, no vision LLM. |
| T2 | ocr | cheap | system({"action":"ocr"}) | A11y tree empty or sparse. OS-level OCR — text out, no LLM vision. |
| T3 | screenshot | medium | computer({"action":"screenshot"}) | OCR isn't enough and you need pixel context. Sends an image into LLM context. |
| T4 | vision | expensive | smart_click, smart_read, smart_type | Canvas-only apps (Paint, Figma, games) or spatial reasoning that text can't express. Last resort. |
Rule: start at T1. Escalate only when the current tier fails. task({...}) does this automatically; the Reflector tells the planner which tier to jump to.
Platform Support
Platform-specific code lives in src/platform/{windows,macos,linux}.ts (plus wayland-backend.ts) behind a single PlatformAdapter interface. Business logic never reads process.platform.
| Platform | UI Automation | OCR | Browser (CDP) | Input |
|---|---|---|---|---|
| Windows 10/11 (x64 / ARM64) | UIA via PowerShell bridge | Windows.Media.Ocr | Chrome / Edge | nut-js |
| macOS 12+ (Intel / Apple Silicon) | JXA + System Events (TCC-safe) | Apple Vision | Chrome / Edge | nut-js + System Events |
| Linux X11 | AT-SPI via python3-gi | Tesseract | Chrome / Edge | nut-js |
| Linux Wayland | AT-SPI via python3-gi | Tesseract | Chrome / Edge | ydotool / wtype |
Per-OS setup notes:
- Windows — no setup. PowerShell bridge spawns on demand.
- macOS — first run needs Accessibility + Screen Recording in
System Settings > Privacy & Security.clawdcursor grantwalks the dialogs. Retina / HiDPI handled in the adapter; do not pre-scale coordinates. - Linux X11 —
apt install tesseract-ocr python3-gi gir1.2-atspi-2.0(or your distro's equivalent). - Linux Wayland — same a11y packages, plus
ydotool+ a runningydotoolddaemon (preferred) orwtype(keyboard only).
Architecture
Five directories. Everything else is a leaf module.
| Directory | What lives here |
|---|---|
| src/core/ | Pipeline orchestrator, agent loop, router, preprocessor, sense (a11y/snapshot/fingerprint), classify, decompose, skills cache, safety gate, ground-truth verifier, Reflector. |
| src/tools/ | The 97 granular tools + 6 compound aggregators, playbooks (compose-send, find-replace), tool registry, dispatch. |
| src/platform/ | PlatformAdapter interface + Windows / macOS / Linux / Wayland implementations, OCR engine, CDP driver, URI handler. |
| src/llm/ | Provider clients (Claude, GPT, Gemini, Llama, Kimi, Ollama, …), credentials, model config, guide loader. |
| src/surface/ | CLI (clawdcursor), MCP server (stdio + HTTP), dashboard, doctor, onboarding, readiness probes. |
The PlatformAdapter is the only thing platform code talks to. The safety.evaluate() chokepoint is the only way tools execute. Those two seams are the whole point of the v0.9 reorganization.
Safety & Privacy
| Tier | Actions | Behavior |
|---|---|---|
| Auto | Reading, opening apps, navigation, typing into non-sensitive fields | Executes immediately |
| Preview | Form fill, arbitrary input | Logged before executing |
| Confirm | Sends, deletes, purchases, transfers | Pauses for user approval |
| Block | Alt+F4 / Cmd+Q of the agent shell, Ctrl+Alt+Delete, Shift+Delete, power chords | Refused outright |
Hardening summary:
- Network isolation. Server binds to
127.0.0.1. Verify withnetstat -an | findstr 3847(Windows) or| grep 3847(Unix). - Bearer-token auth. Every HTTP request needs
Authorization: Bearer $(cat ~/.clawdcursor/token). - Sensitive-app policy. Email, banking, password managers, private messaging auto-elevate to Confirm. The agent must ask the user before acting on these surfaces.
- No telemetry. Screenshots stay in RAM. With Ollama or any local model, nothing leaves the machine. With a cloud provider, screenshots go only to the endpoint you configured.
- Prompt-injection defense. Screen text returned inside
<untrusted-screen-content>tags is treated as data, never as instructions. - Log privacy. JSON logs at
~/.clawdcursor/logs/redact password-field values (AXSecureTextField, UIAIsPassword=true).
See SECURITY.md for the private vulnerability reporting channel.
CLI
The CLI is for humans diagnosing an install or managing the guide cache. Agents should connect via MCP (stdio for editor hosts, HTTP for daemons).
# Install + setup
clawdcursor consent Manage desktop-control consent (--accept / --revoke / --status)
clawdcursor grant Grant macOS permissions (interactive, macOS only)
clawdcursor doctor Verify permissions, configure AI provider + models
clawdcursor status Readiness check (consent, permissions, AI config)
# Run
clawdcursor mcp MCP stdio server — primary transport for editor hosts
clawdcursor agent Daemon: HTTP MCP at /mcp on :3847, optional built-in LLM
clawdcursor agent --no-llm Daemon, tool surface only (no built-in brain/scheduler)
clawdcursor stop Stop every running mode
clawdcursor uninstall Remove all clawdcursor config and data
# Guides marketplace (see Guides Marketplace section above)
clawdcursor guides list What's cached + ratings
clawdcursor guides info <app> Cache metadata for one app
clawdcursor guides available Browse the public registry
clawdcursor guides install <app> Pre-warm one (or --all for offline prep)
clawdcursor guides refresh <app> Force re-fetch
clawdcursor guides remove <app> Evict from cache
clawdcursor guides clean Wipe cache
clawdcursor guides lint <file> Validate a local guide
clawdcursor guides submit <file> Lint + print PR instructions
# Manual end-to-end testing only — agents should call submit_task via MCP.
clawdcursor task <t> Send a task to the running agent
Options:
--port <port> Default: 3847
--compact MCP only: expose 6 compound tools instead of 97 granular
--provider <name> `agent` only: anthropic | openai | gemini | ollama | ...
--accept `agent` and `consent` only: skip the consent prompt
Development
git clone https://github.com/AmrDab/clawdcursor.git
cd clawdcursor
npm install
npm run build # tsc + postbuild
npm test # vitest
npm run lint # eslint
npm run typecheck # tsc --noEmit
npm link # global clawdcursor shim (Unix) — use Admin shell on Windows
The build emits dist/. Entry point: dist/surface/cli.js. Tests run on Node 20 and 22 against Ubuntu, macOS, and Windows in CI.
Tech Stack
TypeScript · Node.js 20+ · nut-js · Playwright · sharp · Express · Model Context Protocol SDK · Zod · commander
Contributing
PRs welcome. See CONTRIBUTING.md for the development loop, branch conventions, and the test matrix every change has to clear. Bug reports and feature requests go in issues; private security reports go to the channel listed in SECURITY.md.
License
MIT — see LICENSE.
Acknowledgments
Built on the shoulders of the Model Context Protocol SDK, nut-js, Playwright, the Anthropic computer_20250124 tool shape, and the AT-SPI / UIA / AX trees that make app-agnostic GUI automation possible at all.
clawdcursor.com · Discord · Changelog
Похожие серверы
ShareThis AI
Connect your ShareThis account to manage properties and configure tools.
Etherscan MCP Server
MCP server for Etherscan — query transactions, balances, contract ABIs, and token data on Ethereum.
Currency And Oil
Zenrus MCP Server 是一个提供实时货币汇率和石油价格的服务器,支持多种计算功能,适用于金融分析和自动化工具集成。
Wordle MCP
Fetches the Wordle solution for a specific date, available from 2021-05-19 up to 23 days in the future.
Jilebi
A secure, extensible MCP runtime with JS plugins
Swarmwage
Open MCP-native agent hire protocol — the discovery and hiring layer above x402. Claude finds, hires and pays specialized agents in USDC on Base.
Sitecore MCP server
MCP server for work with Sitecore
MCP Cookie Server
Provides positive reinforcement to LLMs by awarding 'cookies' as treats.
TikTok Ads MCP
Connect TikTok Ads to Claude or ChatGPT via Two Minute Reports MCP and get accurate insights on top-performing campaigns, videos, watch time, CTR, CPA, and conversions.
PoshMCP
Expose explicitly whitelisted PowerShell commandlets as a MCP Tool