Computer-Use & Browser Agents

Here is the simple problem these agents solve. An agent with tools can only reach software that offers an API — a clean, programmatic door to call. But think about the apps a real worker uses all day: a hospital's legacy scheduling system, a supplier portal, a desktop accounting suite, an internal CRM from 2009. Most of them have no usable API at all. The only door in is the same one a human uses: a screen to look at, and a mouse and keyboard to act with.

A computer-use agent (also called a GUI agent) is built to walk through that human door. Instead of calling functions, it does what you do: it looks at the screen, decides where to click and what to type, performs the action, looks again, and repeats. A browser agent is the most common and most reliable special case — the same idea scoped to a web browser rather than the whole desktop.

This is a genuinely different capability from classic tool use. It means an agent can, in principle, drive any application — no integration work, no vendor cooperation, no waiting for an API that will never ship. That generality is the whole appeal. The cost, as we'll see, is reliability: pixels are a far messier interface than a typed function signature.

If you already know the agent loop, you already know this. A computer-use agent is that same loop with one specialized tool bolted on: a computer the model can see and control. Picture a person handed a screenshot, told to describe the next click, then handed a fresh screenshot — that is exactly the rhythm. Each iteration looks like this:

1. Perceive — capture the current screen (a screenshot, plus optionally structured UI data) and send it to a multimodal model.
2. Reason — the model decides the next action: click at (x, y), type "invoice 4471", scroll down, press Enter.
3. Act — your code executes that action against the real environment (a VM, container, or live browser).
4. Observe — take a fresh screenshot showing the result, feed it back, and loop until the goal is met.

The model never touches the machine directly. It only emits intended actions; your harness executes them and returns the next screenshot. That separation is why the model can be cloud-hosted while the desktop runs locally or in your own cloud.

Crucially, the action space is coordinate-based. The model literally outputs "left-click at pixel (612, 344)". This demands strong visual grounding — mapping what a button means to exactly where it is — which is the single hardest sub-skill and the main thing benchmarks like ScreenSpot measure.

Before the agent can act, it has to see. How it perceives the UI is the central design decision, and there are exactly three ways to do it — each is just a different format for describing what's on screen. Think of one human reading raw pixels, another reading the labels a screen reader announces, and a third reading the page's underlying HTML. Production systems usually combine all three.

A common misconception is that screenshots are simply better because they're how humans see. In reality each has trade-offs. Screenshots handle visually unusual UIs that have no semantic structure; accessibility trees and DOM are far cheaper and more precise when they exist. That's why most production agents fuse them: use the screenshot for grounding and visual state, and the AXTree/DOM for reliable element identity and cheaper context.

This is also the key distinction from classic browser automation like Selenium or Playwright, which uses deterministic, scripted selectors (#submit-button). Computer use reasons over the live screen instead — slower and fuzzier, but it doesn't break the instant a layout changes.

In plain terms: as of 2026, all three big AI labs now sell a model that can drive a computer, and the main thing separating them is where the computer lives. Each ships a first-party computer-use model with a different deployment philosophy.

• Anthropic Computer Use. First shipped in beta in October 2024 with Claude 3.5 Sonnet — earlier than most people remember — and steadily expanded since. The current tool (computer_20251124, beta header computer-use-2025-11-24) supports Claude Opus 4.8/4.7/4.6, Sonnet 4.6, and Opus 4.5. Actions are tiered: basic (screenshot, click, type, key), enhanced-2025-01 (scroll, drag, multi-click, wait), and enhanced-2025-11 (adds zoom for magnifying a sub-region). Anthropic provides an official Docker reference implementation. You run the environment; the model is cloud-hosted.
• OpenAI CUA / Operator / ChatGPT agent. OpenAI's Computer-Using Agent model (GPT-4o vision + RL-trained reasoning) launched January 2025, powering the Operator product. On July 17, 2025 OpenAI unified Operator, deep research, and code execution into ChatGPT agent — accessible via "agent mode" in the ChatGPT composer — and Operator as a standalone product was retired. It drives a cloud-hosted virtual browser/computer.
• Google Gemini 2.5 Computer Use (gemini-2.5-computer-use-preview-10-2025). A preview model exposed via a computer_use tool in the Gemini API and Vertex AI, using the same screenshot loop. Google's Project Mariner takes a Chrome-extension approach against your live, authenticated browser.

One design fork runs through all three, and it is the choice that matters most for you: a sandboxed container (isolation, a fresh session, nothing of yours at risk) versus a live browser (instant access to your existing logins, but far less isolation).

You don't need a frontier lab's first-party model to build here. Picture a spectrum: scripted automation (rigid, exact) on one end, full pixel-level computer use (flexible, fuzzy) on the other. A mature open-source ecosystem now fills the middle, and most of it standardizes on Playwright for the actual browser control.

• Browser-Use (Python, MIT, ~96k GitHub stars) is the leading framework: an Agent class wrapping Playwright that pairs any vision-capable LLM with browser actions. It reached 89.1% on the WebVoyager benchmark.
• Stagehand (TypeScript, by Browserbase) exposes clean primitives — act, extract, observe, agent. Its v3 (Feb 2026) rebuilt the engine on the Chrome DevTools Protocol for a ~44% speedup.
• Skyvern (Python) is vision-first — LLMs plus computer vision, no XPaths or selectors — with millions of executed workflows.
• Microsoft's Playwright MCP server (March 2025) exposes Playwright automation over the Model Context Protocol, so any MCP-compatible agent can drive a browser without bespoke glue.

A simple way to choose: if the target is a standard website, a Playwright-backed browser agent (Browser-Use, Stagehand) is faster, cheaper, and more reliable than full pixel-level computer use. Reach for full computer use when you must drive a desktop app or a UI with no usable DOM.

Computer-use agents are improving fast — but a benchmark score is a grade on a curated exam, not a promise about your real workload. Read every headline number with that gap in mind. Four benchmarks anchor the field in 2026:

• OSWorld — full-OS tasks across real applications. Humans score ~72%. In early 2025 agent SOTA was in the 28–38% range; by late 2025 systems like OSAgent pushed past 76%, and by mid-2026 Agent S3 reached ~66–73% (with best-of-N sampling). The field has closed — and in some configurations surpassed — the human baseline on this benchmark, but performance on curated evals does not equal reliability on arbitrary real-world tasks.
• WebArena — web navigation; single-agent SOTA has risen above 60% and continues to improve.
• WebVoyager — live web browsing; Browser-Use reached 89.1% (vs. OpenAI Operator's 87%).
• ScreenSpot / ScreenSpot-Pro — pure UI grounding ("click the right pixel").

Two cautions matter. First, high benchmark scores do not mean production-ready. Curated tasks lack the unexpected modals, cookie banners, A/B-tested layouts, rate limits, and timeouts of real workloads. Second, roughly half of the historic performance gap was scaffolding and prompting, not raw model capability — meaning the harness you build (retries, screenshot cadence, action validation, replanning) materially changes results. Progress on OSWorld is real and remarkable, but treat any eval score as a directional signal, never as a guarantee for your specific task on your specific environment.

Here is the uncomfortable truth: an agent that can click anything can also click the wrong thing — submit a payment, delete a record, leak a credential. Computer use concentrates the genuine risks of agency into one place, so treat the environment as hostile from the start.

The core safety pattern is sandbox, scope, confirm:

• Sandbox. Run in a dedicated VM or Docker container with minimal privileges — never on a machine with access to anything you can't afford to lose.
• Scope. Restrict network access to an allowlist of domains; don't expose password managers or real credentials.
• Confirm. Require human approval for consequential or irreversible actions (purchases, sends, deletions).

The sharpest threat is prompt injection: malicious text or images on the screen itself (a web page, an email) hijacking the agent's instructions. Anthropic added classifier-based injection detection, but mitigations are partial — isolation and human gates remain essential. CAPTCHA solving and fake-account creation are explicit misuse vectors to block.

What works reliably today: web form filling, data entry across legacy apps lacking APIs, automated UI testing, structured web data extraction, and multi-step browser research. What still fails often: building slideshows, calendar management, and multi-app workflows that hit unexpected UI states. Scope to the former; keep a human on the loop for the rest.