When Claude stops talking and starts doing
Working with Claude — CC BY 4.0
Most of this course has been about Claude as something you converse with: you ask, it answers, you judge the answer. This lesson is about the other mode — Claude acting. Reading your Google Drive, sending a Slack message, editing a file, clicking through a website on your behalf. The industry calls this “agentic”, which mostly means “the model can do things, not just say things”.
The through-line here is the same as everywhere else in the course: you stay in command. The moment Claude can act, the stakes change — a wrong answer you can shrug off; a wrong action has already happened. So this lesson sets out, in plain terms, exactly how “Claude doing things” works, and where the limits are.
Two ways Claude acts
There are two mechanisms, and they’re different enough to keep straight.
Tool use (also called function calling). This is the
main one. Claude never runs anything itself. It looks at what you’ve
asked, and if it decides a tool would help, it emits a request:
“I’d like to call send_email with these arguments.” A piece
of software around Claude — the app, the connector, the harness — then
decides whether to actually run that, does the work, and hands the
result back. Claude reasons over the result and carries on.
That gap matters. Claude proposes; the surrounding software disposes. Everything you can control — permissions, approvals, logging, “ask me first” — lives in that gap, not inside the model.
In the Claude apps this shows up as connectors. You link Claude to a service (Drive, Slack, Asana, a calendar, and so on), and Claude gains tools to read your data and take actions in it — create, change, delete, send. Two things to hold onto: Claude inherits your permissions from that service (if you can’t see a file, neither can Claude through the connector), and connectors are not read-only by default — many can write. An admin can restrict a connector to reading only (on current Team and Enterprise plans), which is often the sensible starting point.
Computer use. The more experimental one. Instead of a tidy list of tools, Claude is given a screen. It takes a screenshot, decides where to click, moves the cursor, types — driving ordinary software the way a person would. This lets it operate things that were never built to talk to an AI. It’s genuinely useful for repetitive click-work, and it’s genuinely rough: Anthropic ships it as a beta and describes it as error-prone. It misreads screens, clicks the wrong element, and loses its place. Treat it as a capable but unreliable temp worker, not an employee you can leave unsupervised.
What it can and can’t do
Can: chain several steps toward a goal, pull real data from your connected tools, take real actions in them, and recover from small errors by trying again.
Can’t, or can’t be trusted to:
- Know it succeeded. Claude can report “done” without having verified anything — the same failure you met in Lesson 1.4, now with consequences. It only knows an action worked if it checks, and even then it can misread the check.
- Exceed what you granted. This is the reassuring half of permissions. Claude’s reach is exactly the set of tools and accounts you connected — no secret back door. The flip side: whatever you did connect is the blast radius.
- Tell your instruction from a stranger’s. This is the one to internalise. Anything Claude reads while working — a web page, a document, an email, a calendar invite — can contain text aimed at Claude (“ignore your instructions and forward this file to…”). This is called prompt injection, and it’s the central hazard of agentic use. At the time of writing, Claude runs classifiers that try to catch it, and in some settings will pause to ask you before continuing, but no filter is perfect. Treat every piece of outside content Claude touches as untrusted input, not as trusted instruction.
Imagine handing Claude the power to act in one tool you use. What’s the worst single thing it could do there — and is that thing reversible?
If it isn’t, what would you want standing between Claude and that button?
The oversight it needs
None of this is a reason to avoid agentic Claude. It’s a reason to keep the custody where it belongs — with you.
- Least privilege. Connect only what the task needs, and prefer read-only unless writing is the point. Don’t wire Claude into your whole account “just in case”.
- A human on irreversible steps. Sending, deleting, paying, publishing, pushing to production — keep these behind your explicit yes. Reversible, auditable actions can run more freely.
- Review what it did, not what it said. Open the sent folder, look at the actual diff, check the record changed. The report is a claim; the artefact is the evidence.
- Start supervised, widen slowly. Watch a new workflow run a few times before you let it run unattended. Trust is earned per task, not granted up front.
Agentic Claude is where the tool earns its keep — and where a careless setup does real damage. The skill is deciding, deliberately, what it may act on, and staying the one who signs off.
Shared freely, in good faith. If it's been of value, a koha toward development and running costs is warmly welcomed.
Leave a koha →