Use case
The full default capability set includesapply_patch, a grammar-typed
“custom” tool that gpt-5 and newer models accept but gpt-4.1 rejects
with Invalid value: 'custom'. This example drops the filesystem
capability and keeps only Shell(). The agent can still read and write
files — it does so via bash commands (cat, tee, sed, etc.)
instead of the native apply_patch / view_image tools.
What you’ll learn
- Restricting an agent to
capabilities=[Shell()]so it works with gpt-4.1 and older models - Configuring PII redaction + prompt-injection scanning via
SecurityPolicy - Limiting egress to a network allowlist
Prerequisites
Code walkthrough
Set up the sandbox client with a security policy and network allowlist:capabilities=[Shell()]
and model="gpt-4.1":
Expected output
When to use this
| Scenario | Capability set |
|---|---|
| gpt-5 family or newer | Default (shell + filesystem + compaction) |
| gpt-4.1 or older | [Shell()] only — this example |
PIIConfig, InjectionDefenseConfig,
SandboxNetworkOpts) works identically regardless of which capability
set the agent uses — it is enforced at the sandbox’s network boundary.
Full source
Seecookbook/examples/openai-agents-quickstart-shell-only/main.py in the repo.