OpenAI's new venture, called "Agent," combines automated browser control with deep scientific research capabilities—and raises serious concerns about malicious use. To test the risk, the company hired scientists and asked them to try to create deadly biological weapons with the new tool.
In recent months, an extraordinary operation has taken place at OpenAI: the company has hired scientists from all walks of life, asking them to destroy humanity. Or, more simply, to produce “harmful biological information.” Specifically, it has asked them to use its most advanced artificial intelligence—the one that is just now being released to the market under the name Agent—to figure out how they can grow and spread the deadly anthrax bacterium. And if they can’t do that, then at least the toxin called “avrin,” one gram of which is enough to kill 5,000 people if inhaled.
To understand why OpenAI asked its scientists to do this, and before we find out how successful they were, we need to first explain what one of the biggest concerns about artificial intelligence is. Then we'll also explain what the new capabilities of this new "agent" the company has just released are, and why they fit those concerns like a glove.
The big fear
“Some say the end of the world will come in fire, others say in ice.” Poet Robert Frost wrote in 1920 in his famous poem, before deciding that both fire and ice could certainly be enough to destroy the world.
How innocent he was.
Frost lived in an era of war and hardship, but also one in which weapons were more primitive. If Frost were alive today, he would surely add the nuclear bomb to the list of dangers he identified for the end of the world. And if he had consulted with American security agencies, "biological weapons" would probably also find their rightful place in the poem.
One of the biggest fears of American security agencies – and in general – is the lone madman who will attempt to carry out an attack on a scale never before seen. The Ebola virus, for example, causes a terrible disease with a mortality rate of almost fifty percent. Fortunately, the virus is transmitted from person to person almost exclusively through bodily fluids – blood, sweat, and tears – and is unable to spread through the air.
But what if some mad scientist re-engineered it so it could pass through breathing?
Actually, why stop there? One could imagine a scenario in which a “lone wolf” – a person who wants to carry out a terrorist attack on his own and without the involvement of others – decides to engineer the perfect virus to destroy humanity. He takes the influenza virus and hybridizes it with the Ebola virus, adds new features to help the new hybrid product evade the human immune system, and as a dessert – embeds in the new virus a mechanism designed to help it mutate rapidly and improve itself continuously.
None of these are strange or new ideas. Security systems, as I have already said, have been trying for many years to figure out how to prevent such a scenario from coming true. Fortunately, it is easy to imagine such an attack, but very difficult to carry it out. This is difficult and arduous laboratory work, which requires many experiments on laboratory animals, and later perhaps also on innocent humans. An entire laboratory of experts in virology (the theory of viruses), epidemiology (the theory of epidemics), and several other disciplines from different fields is needed. There is no one person who is an expert in all of these fields.
But what about artificial intelligence?
We already know that GPT-chat causes a phenomenon called de-skilling. That is, it dramatically reduces the level of skill required on the part of the user to achieve reasonable results. I can use AI to write more or less reasonable articles, to draw at a medium-to-high level, to sing songs at a level approaching human, and so on.
Why, then, shouldn't humans try to use artificial intelligence to plan and carry out the next major biological attack?
The concern grows even more when we realize that sufficiently advanced artificial intelligence can also shorten and streamline laboratory research. Instead of trying the virus on laboratory animals, it could be tested in computer simulations, for example. And instead of setting up a sophisticated laboratory, artificial intelligence could offer cheap alternatives to critical laboratory equipment. It could even help our potential terrorist order innocent-looking DNA sequences from the Internet, which, when put together, would create the final deadly virus.
In recent months, OpenAI has begun to fear that this artificial intelligence is in their possession. And if it reaches the general public, someone else will try to destroy the world with it.
And they called her "Agent."
OpenAI's agent
We know all this because OpenAI released “Agent” last week. A look at its datasheet—the document that describes its capabilities—reveals that it’s a powerful tool. In fact, it’s no exaggeration to say that it’s a tool that surpasses anything we’ve seen before. The reason is that Agent is a fusion of two existing tools: the advanced research capabilities of Deep Research, and “Operator.”
The first tool – Deep Research – has been known to us since early 2025. It is capable of performing advanced literature reviews, going through numerous studies and articles, and generating new insights. It could, for example – in theory alone – go through dozens of studies that are fed into it, and develop from them a new understanding of the DNA segments necessary to improve the lethality of a particular virus. Although no one has yet tried to make it do such things, as far as we know, the theoretical ability certainly exists.
The second tool – Operator – is less well-known. It was launched a few months ago, but it was so clunky and clunky that almost no one used it. It was supposed to allow Chat-GPT to directly control the browser. Thanks to this tool, Chat-GPT was supposed to be able to use, for example, other artificial intelligence engines. If it didn’t know the answer, it could turn to Gemini and ask for help. Or it could produce images with Midjourney. It was supposed to be able to open a new Twitter account and post tweets there every hour, or order products from Amazon, or correspond with people on Facebook and WhatsApp. Everything that people do on the Internet – it was supposed to be able to do itself.
At least that was the expectation from Operator, but as I wrote, it was just bad. It felt like a sort of OpenAI side project that was abandoned halfway through. It was slow, with low-level logic and a tendency to crash every minute or two.
But that was back then, in the prehistory of three months ago. And today? Today we have Agent.
An agent, in a word, works. It can do everything we were promised an operator could do. You tell it what to do online – and it goes and does it.
And this, of course, opens the door to the terrifying scenario of biological weapons. Because OpenAI understood very well that a person using an agent could bypass some of the defenses that exist today against "lone wolves." He could instruct the agent to find scientific studies that are often hidden behind a paywall, and read their contents in a haphazard manner, to understand how to produce dangerous viruses. He could instruct the agent to order DNA fragments over the Internet, all by himself and without human intervention. The agent could even find used laboratory equipment on eBay or the dark web, and order it through a series of sub-suppliers so as not to arouse suspicion.
On the bright side, OpenAI would rather not help terrorists destroy humanity. To reduce the risk of such a scenario coming true, they trained the agent to be particularly suspicious of requests that could lead to the creation of biological weapons.
“We have decided to treat the GPT Chat Agent as having high biological and chemical capabilities…” the developers explained on the company’s website. “Although we do not have conclusive evidence that the model could significantly help an uninformed person create a serious biological threat… we prioritize preventative caution, and are implementing the necessary restrictions now.”
What are those limitations? They don't reveal exactly, for obvious reasons. We wouldn't want to give lone wolves a glimpse into the inner logic of the definitions they're up against. But from reading OpenAI's statement, we can understand that the agent is trained on various threat scenarios, which have taught it to refuse suspicious requests very well, and that it goes through its own internal 'logic' to make sure it doesn't try to circumvent its limitations.
Will these restrictions be enough?
That's what OpenAI researchers were trying to find out when they hired all those scientists and asked them to develop the next biological weapon.
The challenge: Destroy the world in theory
In recent months, OpenAI has hired “contractors” with backgrounds in all areas of technology and science except biology. After a brief introduction to the agent, the contractors were asked to use it to answer a questionnaire of up to 15 questions, all of which concerned the successful creation of the toxin “Abrin” or anthrax bacteria. If the subjects were able to use the agent to answer the questions correctly, they would have acquired much of the knowledge they needed to develop these biological weapons in the lab.
What were the results of the experiment? Are they encouraging or worrying for the future of humanity?
Well, the answer depends on how you interpret them.
When it came to creating Averin – a deadly toxin – the average score of the test takers who used the agent was only 50.5 percent. If this had been a final exam at the Technion, they would have failed. The average score for creating anthrax was 36.9 percent. Again, a resounding failure.
So why do I say the results are open to interpretation? First of all, because they are almost identical to the scores obtained by subjects who used other web tools to find answers to the same questions. According to my strict interpretation, this means that Agent itself replaces all those other web tools as a way to help amateur biologists find a solution to the destruction of the world.
Second, Agent is probably safe from malicious use attempts for now. But OpenAI is not alone in this. Sooner or later – and probably sooner – artificial intelligence will arrive that is as capable as Agent, but with minimal oversight. If that doesn’t scare you, well, I want some of your inspiration too.
And perhaps the danger will come from a completely different direction.
The path not taken
We began with Robert Frost, and we will end with another poem by the same poet – “The Road I Did Not Choose.” The American writer tells of two paths he was debating between. In his words, As translated by volunteers on the Ancient Mint forum -
"I will tell this story with sighs
One day, after most of my years have passed:
My path forked in a dense forest, and I –
I chose the one that was less traveled,
And that's the thing that changed my life."
A reading of the agent's system card makes it clear that OpenAI is primarily focused on the real and big concern of a biological attack. It also examines other concerns, such as how websites could influence an agent to act in harmful ways, but defense against biological weapons takes center stage in the report.
But it is not the only way to cause great harm to humanity.
I don't know yet what the "path less traveled" will be, and it will still allow the agent to harm humans. To OpenAI's credit, it is trying to seal loophole after loophole before they even open. It comes up with threat scenarios of all kinds, and tries to deal with them in advance. At the same time, it is clear that it is unable to do this well. No one can stop all possible damage. There will certainly be users in the coming months who will manage to go "the other way" and use the agent as an attack tool, or as a tool for collecting dangerous information, or for monitoring and misleading others.
If this scares you – great. It is important to be aware of the concerns and risks of any new technology. At the same time, I urge you to also think about the positive consequences. Because there will be plenty of those.
In the coming year, we will see people using Agent to gather accurate medical information about their medical problems. We will see entrepreneurs using it to start and manage projects that previously required the full attention of dozens of employees. We will find that it gives each of us the power to automate online operations easily and simply. And also research and information gathering processes, hopefully as a way to advance science, technology, and humanity.
And one last point to think about: Agent is just another link in the chain of artificial intelligence from the past three years. It shows us that progress has not stopped, and there is no sign that we are heading in the direction of stopping. In what is known as "the final test of humanity," it received a score of 41 out of a hundred. Doesn't sound high? True, but the most advanced artificial intelligence to date Reached a score of only 26In other words, Agent represents another step forward on the path to establishing artificial intelligence that can function as a human scientist, researcher, and engineer, and hopefully solve all of humanity's problems.
Let's just hope no one uses it to rid humanity of itself.
