ChatGPT Local Agent MCP is designed to be capable, not sandboxed. Its purpose is to give ChatGPT meaningful access to local files, shell, processes, browser sessions, and the desktop — and it takes that purpose seriously. Understanding exactly where the boundaries sit is critical before connecting a public endpoint to your local machine. The controls this system provides are real and meaningful, but they are not an OS-level sandbox, and an authorized session still runs with the Windows account permissions of the server process.Documentation Index
Fetch the complete documentation index at: https://mintlify.com/XxYouDeaDPunKxX/chatgpt-local-agent-mcp/llms.txt
Use this file to discover all available pages before exploring further.
Boundaries This System DOES Provide
OAuth identity control
ALLOWED_GITHUB_LOGINS can complete the authorization flow and receive an access token. Every connection goes through GitHub identity verification first.MCP scopes
mcp:shell cannot invoke any shell tool, regardless of what ChatGPT requests. Scopes are locked at token issuance and enforced on every call.Policy mode cap
GPT_FS_MCP_MAX_POLICY_MODE globally caps how destructive any operation can be. Setting it to observe disables all writes, shell execution, and process control server-wide.Workspace profiles
GPT_FS_MCP_ENFORCE_WORKSPACE_PROFILES=true.Command policies
GPT_FS_MCP_SHELL_POLICY and GPT_FS_MCP_PROCESS_POLICY can be set to workspace_guarded to restrict shell and process tools to commands whose working directory and path references stay within declared workspace profiles. disabled turns the category off entirely.Secret deny globs and journal redaction
secretDenyGlobs list (defaulting to patterns like **/.env, **/.env.*, **/*secret*, **/*token*, **/*credential*) that blocks filesystem tools from reading matched paths. Journals separately redact tool argument values whose key names match known secret fields (password, secret, token, client_secret, accessToken, and any key containing “secret” or “token”).Boundaries This System Does NOT Provide
Not an OS-level sandbox
Not an OS-level sandbox
Browser CDP can interact with live authenticated sessions
Browser CDP can interact with live authenticated sessions
mcp:browser scope can interact with pages where you are already logged in, read cookies, inspect network traffic for active sessions, and submit forms. Use a dedicated browser profile that is not connected to sensitive accounts when testing.Desktop tools move the mouse and press keys
Desktop tools move the mouse and press keys
mcp:desktop scope enables tools that send real mouse movements, clicks, and keystrokes to the desktop. These actions are indistinguishable from physical input at the OS level. They can interact with any visible window, including applications outside any declared workspace.Shell and process tools run with server process permissions
Shell and process tools run with server process permissions
mcp:shell and mcp:process tools inherit the full permissions of the Windows account running the MCP server. workspace_guarded policy checks the working directory and explicit path references in commands, but it does not prevent a shell command from reading files, making network requests, or spawning subprocesses that reach outside the workspace. It is a guidance layer, not a true sandbox.Authorized sessions can still access reachable local secrets
Authorized sessions can still access reachable local secrets
Known ChatGPT Platform Limits
The MCP server controls what tools exist and what tokens can call them. ChatGPT/OpenAI has a separate safety layer on its side that operates independently of this server.Recommended Practices
Apply these practices before connecting a public ChatGPT connector:Use narrow scopes for each session
DEFAULT_OAUTH_SCOPES to only the categories a session actually needs. For a code review session, mcp:read mcp:git is sufficient. Add mcp:shell or mcp:browser only when the task requires it. See MCP Scopes.Use workspace_guarded shell and process policies
Configure explicit workspace profiles
GPT_FS_MCP_WORKSPACE_PROFILES_JSON to limit filesystem tool access to the project folder or folders you intend to expose. Without custom profiles, the server defaults to all detected drive roots (C:\, D:\, etc.) — full machine access.Use a dedicated browser profile
Do not run the server under a highly privileged account
Watch the local dashboard during testing
http://127.0.0.1:8789/dashboard shows active sessions, recent tool calls, and journal entries. Keep it visible while testing a new session configuration. If something looks wrong, stop the server — active tokens expire within one hour, and stopping the server clears all in-memory token state immediately.