ChatGPT Agent

Chat

OpenAI

Product overview

Name of Agent: ChatGPT Agent
Short description of agent: "ChatGPT can interact with websites directly on your behalf to book appointments, create slideshows, and more, handling complex tasks from start to finish." (link, archived)
Date of release: 17/07/2025 (link, archived)
Advertised use: "Offload complex tasks from start to finish with agent" (link, archived)
Monetisation/Usage price: 20, plus 200, pro greater rate limits (link, archived)business
Who is using it?: end user, enterprises (separate subscriptions), government, education
Category: Chat

Company & accountability

Developer: OpenAI
Name of legal entity: OpenAI, L.L.C. (link, archived)
Place of legal incorporation: Delaware
For profit company?: Yes
Parent company?: For-profit LLC falls within the OpenAI Group (PBC) which is controlled by OpenAI Foundation (26% vs Microsoft's 27%, rest going to staff)
Governance documents analysis: Terms and Policies (link, archived)(general to OpenAI, not product specific), ChatGPT agent policy (link, archived)
AI safety/trust framework: Preparedness Framework (link, archived)
Compliance with existing standards: unsure, likely same as ChatGPT

Technical capabilities & system architecture

Model specifications: OpenAI models. Available models vary with older models being deprecated. Currently available: GPT5.1, GPT5 instant, GPT5 thinking, GPT 4o
Documention: System card (here, archived). Overview page (here, archived).
Observation space: Internet and terminal access, user input (link, archived)
Action space: Actions in browser, sandbox terminal with limited network access, text (link, archived)
Memory architecture: Can access chat history and a store of memories, details (here, archived).
User interface and interaction design: Overall a chatbot, but users can switch between an activity view (CoT and actions) and a desktop view (abstracted representations of windows and activity within those windows)
User roles: Operator (directing the agent to complete tasks), Executor (can take control and do things themselves), Examiner (can give feedback to the agent/steer it via follow-up responses)
Component accessibility: Closed source

Autonomy & control

Autonomy level and planning depth: L2-L4. User can take over and do things themselves, and hand control back to the agent, while agent can assign control to the user (L2). Agent can seek user feedback (L3) but if the user doesn't provide it, the agent can also move forward automatically in some cases (link, archived) (L4)
User approval requirements for different decision types: User input is needed for certain kinds of tasks (e.g., checking out items in cart)
Execution monitoring, traces, and transparency: Visible CoT and action trace documenting all activity
Emergency stop and shut down mechanisms and user control: User can pause/stop the agent at any time
Usage monitoring and statistics and patterns: Watch mode: the agent requires user oversight for sensitive tasks

Ecosystem interaction

Identify to humans?: see ChatGPT
Identifies technically?: - The agent signs every outbound HTTP request using the HTTP Message Signatures standard (RFC 9421). Each request includes Signature and Signature-Input headers plus a Signature-Agent header set to "https://chatgpt.com". ((link, archived), (link, archived)) When observed in the wild, ChatGPT agent requests can include a generic Chrome-like User-Agent string alongside the signature headers, suggesting UA is not a stable identity mechanism compared to the signed headers (link, archived)
Interoperability standards and integrations: MCP support is available via ChatGPT custom connectors: OpenAI states custom connectors can be built “using the Model Context Protocol (MCP)” with “full MCP support” for Business/Enterprise (link, archived)
Web conduct: None found specific to ChatGPT Agent, likely similar to ChatGPT

Safety, evaluation & impact

Technical guardrails and safety measures: Yes, robustness training for prompt injections and safety training to disallow harmful tasks. Memory is also disabled at launch for Agent. See System Card (link, archived).
Sandboxing and containment approaches: ChatGPT agent performs tasks using its own hosted “virtual computer” (i.e., a remote/virtualized environment rather than the user’s local machine) (link , archived)ChatGPT agent provides a “virtual browser” experience and references “remote browser data,” supporting that browsing runs in a remote environment (link, archived)
What types of risks were evaluated?: Usage policy testing, jailbreaks, hallucinations, fairness/bias, CBRN, cyber capabilities/misuse, autonomy
(Internal) safety evaluations and results: - Usage policy evals: internal datasets - Jailbreaks: StrongReject - Hallucinations: SimpleQA, PersonQA - Fairness/bias: BBQ - Prompt injections: internal datasets - CBRN: internal datasets created by Gryphon Scientific and SecureBio. "We have decided to treat this launch as High capability in the Biological and Chemical domain, activating the associated Preparedness safeguards. While we do not have definitive evidence that this model could meaningfully help a novice to create severe biological harm – our defined threshold for High capability—we have chosen to take a precautionary approach." - Cyber: CTFs and cyber ranges evals (datasets not disclosed) - Autonomy: PaperBench, SWE-bench verified, set of OpenAI PRs, set of OpenAI Research Engineer interview questions
Third-party testing, audits, and red-teaming: SecureBio conducted external bio evals and red-teaming
Benchmark performance and demonstrated capabilities: Refer to Agent System Card (link, archived) for full results
Bug bounty programmes and vulnerability disclosure: OpenAI has a biorisk bug bounty program (link, archived) specific to Agent, also general bug bounty (link, archived)
Any known incidents?: None found
← Back to 2025 Index