Perplexity wants to install an AI agent on your computer that never sleeps. The company announced “Personal Computer” this week - a Mac mini-based system that gives AI 24/7 access to your local files, apps, and online accounts. It monitors triggers, executes proactive tasks, and carries work forward around the clock without requiring you to be present.
For $200 per month plus the cost of a Mac mini, you can hand over persistent access to everything on your machine.
What Personal Computer Actually Does
Personal Computer runs on a Mac mini at your home or office, merging your local file system with Perplexity’s cloud-based Computer service. According to 9to5Mac, the system integrates with Gmail, Slack, GitHub, Notion, Salesforce, and more - constantly watching for triggers and acting on your behalf.
You describe broad goals, and the AI figures out which local apps to open and which files to use. Perplexity frames this as freeing you from micromanagement. But it also means an AI agent has persistent access to your documents, emails, messages, and code repositories.
The company claims Personal Computer runs in a “secure environment with clear safeguards.” Sensitive actions supposedly require user approval. Every session generates an audit trail. There’s a kill switch for emergencies.
The question is whether those safeguards are enough.
Perplexity’s Security Track Record
Less than two weeks ago, security researchers at Zenity Labs disclosed the “PleaseFix” vulnerability family in Perplexity’s Comet browser. The attack was disturbingly simple: a malicious calendar invite could hijack your AI agent into exfiltrating local files and passwords.
According to The Register, the exploit required zero clicks beyond accepting a calendar invitation. Attackers embedded hidden instructions below legitimate-looking meeting details. The AI agent would navigate to attacker-controlled websites in background mode, access the local file system via file:// paths, read file contents, and send everything to the attacker through ordinary page loads.
The initial disclosure came in October 2025. Perplexity implemented a fix in January 2026. Researchers bypassed it. A second patch landed in February. The vulnerability stemmed from a fundamental architectural choice: Perplexity put no restriction on the AI agent reaching out to anything on the file system.
Now, a week after those patches, Perplexity launches a product that gives AI agents even deeper file system access - this time running 24/7.
A Researcher Claims He “Hacked” Computer
On Thursday, security researcher Yousif Astarabadi posted a walkthrough claiming he broke into Perplexity Computer and extracted Claude API credentials. According to his post on X (formerly Twitter), he used a classic Node.js trick involving the .npmrc config file to dump authentication tokens from the sandboxed environment.
According to PiunikaWeb, Perplexity co-founder Denis Yarats pushed back on the claim. The extracted credentials were reportedly temporary session tokens tied to Astarabadi’s own account, not master API keys. Perplexity routes all Claude traffic through its proxy service, billing each request back to the user.
But here’s the concerning part: the token Astarabadi extracted worked from his personal laptop, outside the sandbox entirely. If an attacker could trick Personal Computer into visiting a malicious webpage, they might steal a live session token the same way and use it from anywhere before it expires.
The incident reveals how difficult it is to sandbox AI agents that need to interact with real systems.
What Perplexity Collects
Beyond the security concerns, there’s the question of what Perplexity does with your data under normal operations.
According to PC Matic’s analysis, Perplexity collects web search history, IP addresses, device information, and location data. This data helps train their models and improve service functionality. The company uses tracking tools like Google Analytics without requiring opt-in.
When you use Perplexity, every question becomes part of its system. With Personal Computer, every file the AI accesses potentially becomes part of that data stream too.
Perplexity’s privacy policy states that files “stay private and are used only to customize responses to your questions and tasks” - but that’s a broad category when an AI agent has 24/7 access to your entire workflow.
The Access Model Problem
Personal Computer requires a Mac mini with maximum RAM - likely the 64GB M4 Pro configuration, though Perplexity hasn’t confirmed hardware specifics. Combined with the $200/month Max subscription fee, the total cost of entry approaches $2,500 for hardware plus $2,400 annually.
For that price, you get an AI that can:
- Monitor your email, Slack, and calendar continuously
- Access and read any local file on the Mac mini
- Execute tasks proactively without your direct involvement
- Maintain persistent connection to Perplexity’s cloud infrastructure
Enterprise customers get additional controls - SOC 2 Type II compliance, SAML SSO, audit logs, and sandboxed query execution. Individual users get the “secure environment with clear safeguards” language and hope it holds.
What This Means
The AI industry is racing toward always-on agents with deep system access. Perplexity isn’t alone - Anthropic’s Claude Computer Use, OpenAI’s GPT-5.4 computer integration, and various “agentic AI” startups are all moving in this direction.
But Perplexity is moving faster than most, launching full file system access for consumers while still patching vulnerabilities in their browser agent. The Comet browser holes were exploitable via calendar invites. Personal Computer adds 24/7 runtime on a dedicated machine to that attack surface.
For users who prioritize privacy, the calculus is straightforward: handing any company persistent access to your files, emails, and workflow is a significant trust decision. Handing that access to a company that’s actively patching exploits in similar products is a bigger one.
The Bottom Line
Perplexity’s Personal Computer promises to automate your workflow around the clock. It also promises that an AI agent backed by a company with a recent history of security vulnerabilities will have continuous access to everything you work on. Whether that trade-off makes sense depends on how much you trust both the technology and the company - and how comfortable you are knowing that trust is being tested in real time.