Tier 3 · Power3.115 min

When Claude stops talking and starts doing

New green shoots unfurling in spring lightWorking with Claude — CC BY 4.0

Most of this course has been about Claude as something you converse with: you ask, it answers, you judge the answer. This lesson is about the other mode — Claude acting. Reading your Google Drive, sending a Slack message, editing a file, clicking through a website on your behalf. The industry calls this “agentic”, which mostly means “the model can do things, not just say things”.

The through-line here is the same as everywhere else in the course: you stay in command. The moment Claude can act, the stakes change — a wrong answer you can shrug off; a wrong action has already happened. So this lesson sets out, in plain terms, exactly how “Claude doing things” works, and where the limits are.

Two ways Claude acts

There are two mechanisms, and they’re different enough to keep straight.

Tool use (also called function calling). This is the main one. Claude never runs anything itself. It looks at what you’ve asked, and if it decides a tool would help, it emits a request: “I’d like to call send_email with these arguments.” A piece of software around Claude — the app, the connector, the harness — then decides whether to actually run that, does the work, and hands the result back. Claude reasons over the result and carries on.

That gap matters. Claude proposes; the surrounding software disposes. Everything you can control — permissions, approvals, logging, “ask me first” — lives in that gap, not inside the model.

In the Claude apps this shows up as connectors. You link Claude to a service (Drive, Slack, Asana, a calendar, and so on), and Claude gains tools to read your data and take actions in it — create, change, delete, send. Two things to hold onto: Claude inherits your permissions from that service (if you can’t see a file, neither can Claude through the connector), and connectors are not read-only by default — many can write. An admin can restrict a connector to reading only (on current Team and Enterprise plans), which is often the sensible starting point.

Computer use. The more experimental one. Instead of a tidy list of tools, Claude is given a screen. It takes a screenshot, decides where to click, moves the cursor, types — driving ordinary software the way a person would. This lets it operate things that were never built to talk to an AI. It’s genuinely useful for repetitive click-work, and it’s genuinely rough: Anthropic ships it as a beta and describes it as error-prone. It misreads screens, clicks the wrong element, and loses its place. Treat it as a capable but unreliable temp worker, not an employee you can leave unsupervised.

What it can and can’t do

Can: chain several steps toward a goal, pull real data from your connected tools, take real actions in them, and recover from small errors by trying again.

Can’t, or can’t be trusted to:

Imagine handing Claude the power to act in one tool you use. What’s the worst single thing it could do there — and is that thing reversible?

If it isn’t, what would you want standing between Claude and that button?

The oversight it needs

None of this is a reason to avoid agentic Claude. It’s a reason to keep the custody where it belongs — with you.

  1. Least privilege. Connect only what the task needs, and prefer read-only unless writing is the point. Don’t wire Claude into your whole account “just in case”.
  2. A human on irreversible steps. Sending, deleting, paying, publishing, pushing to production — keep these behind your explicit yes. Reversible, auditable actions can run more freely.
  3. Review what it did, not what it said. Open the sent folder, look at the actual diff, check the record changed. The report is a claim; the artefact is the evidence.
  4. Start supervised, widen slowly. Watch a new workflow run a few times before you let it run unattended. Trust is earned per task, not granted up front.

Agentic Claude is where the tool earns its keep — and where a careless setup does real damage. The skill is deciding, deliberately, what it may act on, and staying the one who signs off.

Shared freely, in good faith. If it's been of value, a koha toward development and running costs is warmly welcomed.

Leave a koha →

Useful? Share this lesson with a colleague.