The link-safety update by OpenAI prevents agents from automatically retrieving unverified URLs that might contain private data in their query strings. Agents will only fetch links if they are already present on the public internet (as recognized by an independent crawler index); otherwise, users receive a warning and can decide whether to continue.

The specific risk: URLs can leak data

When an agent accesses a link, the entire URL (including query parameters) is sent to the destination and often logged. Malicious actors could trick an agent into including sensitive details—like an email or document title—in that URL, causing a silent leak (even through redirects, images, or previews).

Why simple allow-lists aren’t sufficient

Allow-listing “trusted sites” fails when those sites redirect or include third-party content; it also creates an obstacle that users may begin to ignore. OpenAI instead addresses the URL itself: is this exact address already public?

The control: only auto-fetch public URLs

OpenAI uses an independent web index (separate from user discussions) to confirm if a URL is publicly known.

• Match found: the agent can load automatically.

• No match: the agent refrains from auto-fetching; users might receive a warning and choose to proceed or ask for different options.

What users will encounter

For unverified links, ChatGPT might present a “Check if this link is safe” prompt: “not verified,” “may include information from your conversation,” and options to copy or proceed regardless. This makes the “quiet leak” apparent and keeps control in human hands.

What this covers—and doesn’t

This defence targets URL-based data leaks. It doesn’t ensure page trustworthiness or remove all prompt-injection risks, so OpenAI extends it with model-level protections, product controls, monitoring, and red-teaming as part of a defence-in-depth strategy.

Implications for developers and security teams

• Reduce silent leaks: Implement a similar “public-URL-only auto-fetch” policy in custom agents and set up warnings for unverified links.

• Strengthen against injections: Combine link-safety with anti-prompt-injection measures and guided tool-use patterns in Agent Builder/AgentKit.

• Balance user experience and safety: Engage users without restricting legitimate browsing; use human-in-the-loop for high-risk activities.

• Advance your protections: Regard agent safety as an ongoing initiative—add measures as new evasion attempts are observed.

Bottom line: Link safety doesn't replace other controls, but it eliminates a common, subtle path for context leakage—and establishes a strong default for agent browsing.

FAQs

Q1. What is URL-based data exfiltration in agents?
When an agent processes a link embedding private context within the URL’s query string, that information can be logged by the destination—silently disclosing information.

Q2. How does OpenAI’s link safety function?
Agents only auto-fetch URLs previously noticed on the public web by an independent crawler. Unverified links initiate a user warning prior to opening.

Q3. Does this prevent prompt injection?
It reduces one prompt-injection result (forced URL fetch with secrets), but broader injection risks persist and are mitigated through model-level and product protections.

Q4. What should developers emulate from this?
Adopt public-URL validation, explicit warnings, and require human authorization for risky actions; integrate with recognized safety best practices and human-in-the-loop processes.

Q5. Is this feature now available in ChatGPT?
OpenAI clarifies this as an implemented safeguard for ChatGPT/agentic experiences and intends to continue advancing it as threat actors adapt.