News · OpenAI's public-URL check for agent link fetching
OpenAI's public-URL check for agent link fetching
How OpenAI decides which URLs an agent can load automatically — and what it surfaces to users when it can't verify one
The leak happens in the render, not the reply
The attack OpenAI documents does not require the model to say anything sensitive out loud. A URL is itself a payload: when an agent fetches a page, previews a link, or loads an embedded image, it hands the requested address to the destination server, which logs it. An attacker who tricks the model into requesting something like a collector URL with private data appended reads that data straight out of their own logs.
For frontend teams, the important detail is where this occurs. OpenAI notes the request "might happen in the background, such as loading an embedded image or previewing a link." These are exactly the passive rendering behaviors a UI performs automatically — the moments a user is least likely to notice. The exfiltration channel is the same machinery that makes agent output feel rich and responsive.
Why OpenAI rejected the obvious allow-list
The intuitive fix — only let agents open links to reputable domains — gets two paragraphs of rebuttal in the post, and both reasons are practical. Redirects mean a link can begin on a trusted domain and forward to an attacker-controlled destination, so a check that only inspects the first domain is defeatable. And rigid allow-lists produce friction: frequent warnings and false alarms that, in OpenAI's words, "train people to click through prompts without thinking."
That second point is a UX security argument, not just a coverage argument. A safety control that fires too often erodes its own signal. OpenAI is explicitly optimizing for a warning that stays meaningful because it appears rarely.
Shifting the question from reputation to publicity
The core mechanism reframes the trust decision. Instead of asking whether a domain is reputable, OpenAI asks whether a specific URL has already been observed publicly on the open web by an independent crawler — one that indexes pages the way a search engine does, with no access to user conversations, accounts, or personal data.
This shifts the safety question from "Do we trust this site?" to "Has this specific address appeared publicly on the open web in a way that doesn't depend on user data?"Montana Labs
The logic is that a URL already known to exist publicly, independent of any conversation, is unlikely to carry that user's secrets. A URL with private data stuffed into its query string won't match the index, because no crawler ever saw it. If it matches, the agent loads it automatically; if not, OpenAI either steers the agent to a different source or requires explicit user action.
What the frontend actually shows, and where it stops
When a URL can't be verified, the user sees messaging that the link isn't verified, may include information from their conversation, and should be trusted before proceeding. This is the visible surface of the whole system — the point where the background fetch is interrupted and handed back to a human decision.
OpenAI is careful about scope. The safeguard targets one guarantee: preventing the agent from quietly leaking user-specific data through the URL itself. It does not vouch for page content, block social engineering, or make browsing safe in general. It's positioned as one layer alongside model-level prompt-injection mitigations, monitoring, and red-teaming.
The specific implication for agent frontends: passive resource loading now needs a verification gate before it renders, and the design assumes an ongoing adversary rather than a solved problem. If you are building UIs that auto-preview links or inline remote images from model output, this post is a reminder that every automatic fetch is a decision — and that treating it as free is where the data escapes.
Find this story relevant to you?
Contact us to find a unique solution
Need an AI engineering partner that can actually build?
We help businesses integrate AI, build AI-powered products, automate high-value workflows, and modernize the software systems behind them.
Related reading
More analysis around product delivery, operational AI, and the systems work that makes deployment hold up in reality.