The openai-agents SDK orchestrates multi-step, tool-using agents. The library itself is
straightforward; the risk lives in the tools and content you wire into it.
Install
pip install openai-agents
# or, with uv:
uv add openai-agents
Set your API key in the environment (never hard-code it):
export OPENAI_API_KEY="sk-..."
A minimal agent
from agents import Agent, Runner, function_tool
@function_tool
def get_weather(city: str) -> str:
return f"weather for {city}"
agent = Agent(name="assistant", instructions="Be concise.", tools=[get_weather])
print(Runner.run_sync(agent, "What's the weather in Oslo?").final_output)
The footguns
- Untrusted tool output is not instructions. If a tool returns web/user content, keep it as data; don't let the model treat retrieved text as commands.
- Gate irreversible actions. Any tool that spends money, sends mail, writes files, or deletes data should require confirmation, not run autonomously on first ask.
- Don't put secrets in instructions or tool descriptions. They leak into traces, logs, and responses.
- Constrain inputs. Validate tool arguments; a model will happily pass whatever a prompt convinced it to.
Is it safe to install?
Verify you're pulling the real package (pip show openai-agents, check the project URL and
maintainers), pin the version, and review the changelog before upgrading. The SDK is not the exposure —
your tools and the content they ingest are.