In brief
- OpenAI launched ChatGPT Agent, enabling AI to complete complex tasks using a virtual computer.
- The tool raises security concerns, including prompt injection attacks.
- OpenAI added safeguards, but warned users to stay cautious.
OpenAI has unveiled its most autonomous AI tool yet: a version of ChatGPT that can browse the web, run apps, and complete real-world tasks with little-to-no human input. But with the leap in capability comes a stark warning: The technology could also invite a new wave of security threats.
Launched on Thursday, ChatGPT Agent enables users to delegate complex tasks, such as planning vacations, booking hotel rooms, researching competitors, generating slide decks, and even placing online orders.
The feature will start rolling out today to Pro, Plus, and Team users.
To complete tasks, the agent uses a virtual computer and a unified set of tools, including a text-based browser, terminal, and access to third-party apps such as Google Drive and GitHub. The virtual computer is a simulated computing environment running in the cloud that the ChatGPT agent can control independently—sort of like giving the AI its own private, sandboxed machine to do real work.
“I think this is a new level of capability in AI,” OpenAI CEO Sam Altman said during a livestream demonstration conducted by members of the team that built the product. The livestream was also noteworthy, however, in part of the amount of “buyer beware” cautions OpenAI gave.
“It’s a new way to use AI, but there will be a new set of attacks that come with that,” said Altman. “Society and the technology will have to evolve and learn how we’re going to mitigate things that we can’t even really imagine yet, as people start doing more and more work this way.”
One example: An agent could research a purchase, find the item at a phishing site and provide a user’s credit card info. To mitigate that problem, the current release has a number of safeguards in place that would, for instance, stop just short of uploading credit card information until the user manually approves it.
“We’ve trained the model to ignore suspicious instructions on risky websites,” OpenAI researcher Casey Chu said. “We also have monitors that watch the agent’s behavior and stop it if anything looks suspicious.”
Chu added that while system safeguards can be updated in real time, ChatGPT agent is still a “cutting-edge product” that opens the door to new forms of exploitation.
“It’s important for users to understand the risks and be thoughtful about the information they share,” he said.
The release of ChatGPT Agent comes at a time when AI developers are working to equip virtual assistants with increasingly powerful capabilities. On Wednesday, Google launched a new AI-powered feature in Google Search that enables its Gemini AI to make phone calls to businesses on behalf of users.
“ChatGPT Agent is still in its early stages, and we’re using this time to learn from real-world use to improve both the product and our safeguards,” an OpenAI representative told Decrypt. “The current system card reflects our present approach, but we’re preparing for what’s next and will continue to share updates as we make the agent better and safer.”
ChatGPT can now do work for you using its own computer.
Introducing ChatGPT agent—a unified agentic system combining Operator’s action-taking remote browser, deep research’s web synthesis, and ChatGPT’s conversational strengths. pic.twitter.com/7uN2Nc6nBQ
— OpenAI (@OpenAI) July 17, 2025
Cybersecurity experts have also raised concerns about the implications of autonomous agents.
“High concern is warranted because the agent carries implicit authority to reveal personal identifiers during dialogue,” said Nic Adams, co-founder and CEO of cybersecurity firm 0rcus. “Users should grant granular, revocable scopes such as target business, purpose, allowable data elements, and expiration timestamp.”
In terms of best practices, Adams suggested that after execution, the agent present a full transcript for approval before storing any information for longer than legally required.
“Silent, blanket consent would shift liability onto the user without meaningful control,” he said. “Therefore, a per‑task confirmation model is necessary.”
Beyond the risks of letting AI agents make purchases or plans, OpenAI researchers agreed that this level of autonomy introduces new threats, especially prompt injection attacks, where malicious inputs trick the AI into leaking data, spreading misinformation, or taking unauthorized actions.
To mitigate these risks, OpenAI developed takeover mode, which, as the name suggests, gives users the power to take over from the agent and input information themselves, rather than relying on the agent. In some cases, ChatGPT Agent will ask for explicit user approval before taking important actions, like making purchases or accessing sensitive data.
“We’ve built a powerful tool, but users need to stay cautious,” Chu said.
Generally Intelligent Newsletter
A weekly AI journey narrated by Gen, a generative AI model.
