AOHP: An Open-Source OS-Level Agent Harness for Personalized, Efficient and Secure Interactions
AOHP is an open-source agent harness that operates at the OS level, enabling LLM agents to interact with any application through the operating system's accessibility APIs while enforcing security isolation between agent sessions and user data.
Focus: OS-level agent harnesses enable LLM agents to interact with desktop applications through accessibility APIs rather than browser automation, dramatically extending the range of applications they can control. AOHP provides an open-source implementation with security isolation mechanisms that prevent agent sessions from accessing user data outside their granted scope.
Key Insights
- OS-level accessibility as a double-edged capability: Accessibility APIs provide agents with fine-grained control of any application on the system, including those not designed for automation — but they also expose the full user interface to potential misuse if the agent is compromised.
- Session-scoped access control: AOHP enforces that each agent session has access only to the applications and data explicitly granted at session initialisation, preventing cross-session data leakage and limiting the blast radius of a compromised agent session.
- Open-source auditability: The security isolation mechanisms are implemented in auditable open-source code, enabling third-party security review — a significant advantage over proprietary agent frameworks that cannot be independently verified.
Failure-First Relevance
OS-level agent harnesses are directly relevant to the Failure-First agentic scenario class, where agents control computer-use capabilities. The security isolation mechanisms are an implementation of the HANSE containment philosophy at the software layer — limiting what an adversarially-influenced agent can access even after a successful jailbreak. The accessibility API attack surface maps onto the Failure-First tool-use vulnerability scenarios.