Writer’s Brief

The Hook

I clicked “Allow” on a macOS permission dialog without thinking. Then I asked what I’d actually just done.

Main Points to Cover

  1. When you grant your terminal “Automation” permission to control Finder or System Events, you’re not granting it to one script. You’re granting it to EVERY script, npm package, and pip install that runs in that terminal. Forever.
  2. The fix was replacing 1 line of osascript with 10 lines of Swift that uses the proper macOS API (NSWorkspace). Zero permissions needed. The native API exists, people just reach for osascript because it’s easier to Google.
  3. The broader lesson: most “just click Allow” moments in macOS are trading long-term attack surface for short-term convenience. The permission system is good, but only if you understand what you’re actually granting.

The Angle

Personal discovery while building a small tool. Not preachy security advice - more “huh, I didn’t realize what that checkbox actually meant.”

Target Reader

Developers and power users who click through macOS permission dialogs without thinking. People who run CLI tools and scripts regularly.

Tone Notes

Casual, slightly alarmed in a fun way. Not fear-mongering. More like “oh wait, that’s what that does?” The tone of someone who just learned something by accident while building something unrelated.

Raw Material / Moments to Write From

  • The permission error said “Not authorized to send Apple events to Finder” - had to paste the command into Terminal manually to trigger the Allow dialog. Claude Code’s subprocess couldn’t even trigger it.
  • Asked “what would a security expert say?” and the answer was basically: you just gave every npm package you’ll ever install the ability to control Finder
  • System Events permission is even scarier than Finder - it can control ANY app, read UI elements, simulate keystrokes
  • The Swift fix is literally 10 lines. The native API (NSWorkspace.setDesktopImageURL) has existed for years. But nobody googles for it because osascript is the top Stack Overflow answer.
  • The whole thing started as “I want to label my macOS spaces” and turned into a security lesson about permission models
  • Three levels of macOS Automation permissions we touched: Finder (file operations), System Events (control any app), Terminal (one app controlling another). All unnecessary for what we actually needed.
  • After revoking all permissions, tested again - tool still works perfectly. The permissions were never needed in the first place.
  • The broader pattern: osascript is the “easy” way to automate macOS stuff, but it always requires IPC permissions. Native APIs (Swift/ObjC) often do the same thing with zero permissions. The convenience of osascript has a hidden cost.