How Smart Tasks handle external access

When you enable Make External Connections, the agent can connect to outside services using credentials you or your users provide.

The agent does not ask for permission before acting

Unlike some AI coding and productivity tools that run on your local machine, the CustomGPT.ai agent with Smart Tasks enabled will not pause to ask "can I run this?" before executing code or making an external connection. If the agent has been given a key with broader permissions than the task requires, it may make changes beyond what was intended.

Because of this, it is extremely important to responsibly scope the permissions given to the agent with the API key or MCP server.

API keys shared in chat are not secure

If a user pastes an API key into the chat to complete a task, that key is not protected. Treat any key shared in a conversation as potentially exposed.

Best practices if providing API key in chat:

• Use one-time or short-lived API keys wherever the service supports them.
• Scope keys to the minimum permissions the task actually needs. If the agent only needs to read data, do not provide a key that can also write or delete.
• Revoke keys after use.

Related articles

• Smart Tasks overview
• Enable and configure Smart Tasks
• Plan & Act mode