What A Mobile AI Agent Can (And Cannot) Responsibly Automate

Written by the Fulldive product engineering team, based on direct inspection of the repositories listed below.

An AI automation app on a phone is a different animal from a desktop agent. The screen is small, the input is thumbs, the network is flaky, and the consequences of a wrong action — a deleted file, a sent message, a purchase — hit the same device the user runs their life on. This post is a plain-language tour of what a mobile AI workspace like LikeClaw can responsibly automate today, what it cannot, and what a user should check before trusting any browser automation app or mobile agent with real work.

We are not describing an aspirational roadmap. We are describing what the LikeClaw repository and its current consent surfaces actually support.

What “responsible automation” means in practice

Two commits anchor the responsible-automation framing for LikeClaw:

d3457d6 — AI consent simplification and account deletion. The user is asked for consent to AI behavior in plainer terms, and can delete their account and data. Consent and deletion are covered further in AI consent and account deletion in LikeClaw.
882aa78 — tool-call visibility and generated image display. When the agent calls a skill or produces an image, the user sees it in the chat timeline rather than behind a spinner.

Visible tool calls are not the same as safe tool calls. But you cannot have oversight without visibility. Those two commits together are the floor under every claim in this post.

Things a mobile AI agent can reasonably help with

Within those constraints, the agent can meaningfully help with a narrow but useful slice of work:

Drafting. Short-form writing, email responses, message rewrites, and outline-level brainstorming are exactly the shape of work where a chat-first interface wins. The rich chat and file-rendering work in c3001bf is the surface this runs on.
Look-ups and summarization. Pulling together notes from a file in the virtual workspace, summarizing a long thread, or condensing a document the user attached. This is where the VFS files surface from 2970709 earns its place; more on that in skills and virtual files in LikeClaw.
Running scoped skills. A skill is a defined capability the user can invoke. Skills are not arbitrary code the agent invents on the fly. Because 882aa78 makes tool calls visible, the user can see which skill ran and inspect the output.
Image generation for non-production use. Generated images display inline (882aa78). Useful for sketches, moodboards, or placeholder art; not a replacement for a designer or a legal review.
Background polling and message refresh. 09ee58f introduced background task polling, which means long-running work can continue while the user is elsewhere in the app. Useful for things that take minutes, not a license to run unattended for hours.

Things a mobile AI agent should not be trusted with

The harder list. These are the places where the repository evidence, the mobile form factor, or simple honesty tell us to stop.

Critical authentication decisions. Do not let an AI agent decide whether to approve a login, 2FA prompt, or password reset on your behalf. These are high-stakes, context-dependent judgments, and the phone is not the right surface to delegate them from.
Financial transactions. Billing in LikeClaw itself runs through platform in-app purchase flows, and purchase verification uses StoreKit 2 signed transactions (0b9f7db). Those protect payment integrity for LikeClaw’s own billing; they do not imply the agent should be moving money in third-party apps or services. Our billing and StoreKit 2 post goes into the purchase-verification detail.
Irreversible actions without a confirm step. Sending an email, deleting files in a connected account, posting to a social account. The Connections screen (a8aef32) exists precisely so the user scopes which external accounts the agent can touch; irreversible actions behind those connections still deserve a human confirm.
Legal, medical, financial, or safety advice. An AI can summarize sources but cannot certify outcomes. Treat anything in this category as a draft to review with a qualified professional.
“Replace the user” framings. LikeClaw is a workspace, not a substitute. The UI shows tool calls because the user is still responsible for the result.

For a longer discussion of the “and cannot” framing applied to a different Fulldive product, see what an AI fake news checker can and cannot do. The spirit is the same: useful inside a narrow lane, misleading when stretched.

Oversight patterns the app supports today

The repository shows three oversight patterns, built in quietly:

Visible tool calls (882aa78). The chat shows the tool and its output, not only the natural-language answer. Skim them the way you would skim a diff before merging.
Scoped connections (a8aef32). External integrations are authorized through a Connections screen. Gmail OAuth, for example, uses scoped permissions; Google documents these at Gmail OAuth scopes. Grant the narrowest scope that works.
Consent and deletion (d3457d6). The user can turn off AI behaviors they are not comfortable with and can remove their account. See AI consent and account deletion in LikeClaw.

These are floor, not ceiling. More specific oversight patterns — per-action confirmation, read-only connection modes, session-scoped credentials — are the kinds of things we expect to keep tightening.

Mobile-specific failure modes to stay aware of

A mobile AI workspace adds failure modes that do not exist on a desktop agent:

Network flakiness. The app handles network errors explicitly (c3001bf) and polls in the background (09ee58f), but a dropped connection mid-tool-call can still leave a fuzzy state. Re-read the timeline.
Notifications as trust surface. The inbox (bf94935) and billing-credit errors (7cf67c3) appear as notifications. Attackers love notifications. Treat any unexpected AI notification the way you would treat an unexpected OTP.
Cross-app context. A phone’s agent lives next to every other app you use. The fact that a skill can generate an image or draft a message does not mean it should automatically move that output into another app without a prompt.

How this fits the broader Fulldive approach

Fulldive ships many small Android apps rather than one mega-app; the reasoning is explained in the Fulldive company story and in the extensions vs forked apps post. Narrow scope is safer. A focused ad blocker, a focused VR player, a focused emulator, a focused browser, and now a focused AI workspace. LikeClaw fits that philosophy; see the Fulldive apps page for the full set.

Limits and safety

Three explicit limits for anyone trying LikeClaw or any similar mobile AI agent:

The app describes and supports certain oversight patterns (tool-call visibility, scoped connections, consent and deletion), but it does not — and no app realistically can — guarantee that an agent’s output is correct or that a tool call is the right call in your specific situation.
“Responsible automation” here means user-supervised automation with narrow scopes and reversible actions. It does not mean autonomous task completion.
If you are considering giving an agent access to an account you cannot afford to lose control of, do not. Read the FAQ and about us pages, and write to support@fulldive.com with questions.

Next steps

If you want the engineering detail behind the product surfaces referenced here, see LikeClaw: from chat dashboard to mobile AI workspace for the product history, skills and virtual files in LikeClaw for the skills and VFS story, billing and StoreKit 2 in a mobile AI app for the purchase-verification path, and AI consent and account deletion in LikeClaw for the trust surface.

Last updated: 2026-04-16. Commit hashes and version numbers are drawn from Fulldive repositories inspected on 2026-04-13.