Tool-Driven File Ingestion Via Container.Download With Browsing-Context Gating
Sources: 1 • Confidence: Medium • Updated: 2026-02-06 16:59
Key takeaways
- Observed container.download requests use a 'ChatGPT-User/1.0' user-agent and originate from an Azure IP in central US (Des Moines, Iowa).
- ChatGPT containers can run Bash commands directly rather than being limited to Python-only execution.
- Outbound network requests are blocked in the container, but pip install and npm install work via a custom proxy mechanism.
- container.download is unlikely to be a straightforward data-exfiltration vector because it appears to restrict downloads to URLs previously viewed in the conversation.
- ChatGPT’s code-execution container has recently gained significant new capabilities that are not clearly documented by OpenAI.
Sections
Tool-Driven File Ingestion Via Container.Download With Browsing-Context Gating
A dedicated download tool enables public URL retrieval into the container filesystem, but observed behavior includes a prerequisite that the URL be viewed via browsing in the same conversation, with additional filtering behavior on certain constructed query strings.
- Observed container.download requests use a 'ChatGPT-User/1.0' user-agent and originate from an Azure IP in central US (Des Moines, Iowa).
- A tool called container.download can fetch a public URL and save the file to a specified path within the sandboxed container.
- Attempting to download a URL that was not previously opened in the conversation can fail with an error requiring the URL to be viewed first using web.run.
- web.run may allow some constructed query strings, but longer query strings containing prior prompt history can be blocked by filtering.
Container Capability Expansion (Bash And Node Runtimes)
The container tool surface includes direct command execution and additional runtimes beyond Python, expanding the class of workflows that can be executed inside the sandbox.
- ChatGPT containers can run Bash commands directly rather than being limited to Python-only execution.
- The container includes Node.js and can execute JavaScript directly in addition to Python.
- A tool list from a GPT-5.2 Thinking session includes container.exec, container.feed_chars, container.open_image, container.download, web.run, and Python execution tools.
Network Isolation With Package Installs Via Internal Proxy Registries
Despite blocked general outbound network requests, package managers can install dependencies via an internal proxy configured by environment variables, indicating a controlled egress model oriented around curated package access.
- Outbound network requests are blocked in the container, but pip install and npm install work via a custom proxy mechanism.
- pip/uv and npm are configured to use an internal gateway proxy via environment variables that point to OpenAI-hosted package registries.
- Environment variables indicate additional proxied registries (Go, Maven/Gradle, Cargo, Docker) and report NETWORK as 'caas_packages_only', while Rust and Docker are not installed.
Security Posture And Exfiltration-Risk Claims Remain Partially Contested
The corpus offers a mitigating hypothesis for exfiltration risk based on URL-view gating, but it is presented as a dispute-level assessment rather than a fully established security guarantee.
- container.download is unlikely to be a straightforward data-exfiltration vector because it appears to restrict downloads to URLs previously viewed in the conversation.
- Attempting to download a URL that was not previously opened in the conversation can fail with an error requiring the URL to be viewed first using web.run.
- web.run may allow some constructed query strings, but longer query strings containing prior prompt history can be blocked by filtering.
Documentation Gap And Stability Risk Of Silent Upgrades
A core delta is that capabilities appear to have changed without clear official documentation or stable naming, creating reliability and governance uncertainty.
- ChatGPT’s code-execution container has recently gained significant new capabilities that are not clearly documented by OpenAI.
Watchlist
- ChatGPT’s code-execution container has recently gained significant new capabilities that are not clearly documented by OpenAI.
Unknowns
- What are the official specifications for container.exec, container.download, web.run, and the container network mode, including limits (CPU/RAM/disk/time), allowed commands, and deprecation/stability guarantees?
- How broadly are these container capabilities available across free vs paid tiers, regions, and models, and is access gated by experiments or gradual rollout?
- What exactly is the 'applied-caas gateway' package proxy behavior: mirroring completeness, caching/version pinning behavior, auditability, and policy controls (allow/deny lists)?
- What are the precise enforcement rules for container.download URL eligibility (what counts as 'viewed', how redirects are handled, and whether user-pasted URLs qualify)?
- Do web.run filters systematically prevent prompt-history exfiltration via query strings, and where are the boundaries (length, entropy, content types)?