OpenAI just gave its Codex agent the keys to your Mac. Not metaphorically — literally. As of May 21, Codex can operate your desktop applications, click through menus, type into fields, and execute multi-step workflows even when your screen is off and locked. You can trigger it from your phone while sitting in a restaurant. Your Mac stays home, screen dark, while an AI agent runs errands on it like a digital house-sitter who also reads your diary.
And here’s the part OpenAI is hoping you’ll skim past: a companion feature called Chronicle periodically captures screenshots of everything on your screen, runs OCR on them, and stores text-based “memories” as unencrypted Markdown files on your device. If this sounds familiar, it’s because Microsoft tried the exact same thing with Recall in 2024 — and got dragged so hard by security researchers that it delayed the launch by a year.
From Sandbox to Full Desktop Control in Six Weeks
The speed of Codex’s transformation is the part that should make you pay attention. In March 2026, Codex was a sandboxed code-runner — it worked on copies of your files inside an isolated cloud container and couldn’t touch your local machine. By late May, it can operate any Mac application with its own cursor, run multiple background agents simultaneously without interrupting your foreground work, navigate third-party GUIs, install from a catalog of 90+ plugins, and execute tasks on automated daily or weekly schedules.
Three updates did the heavy lifting. On April 16, OpenAI released “Codex for (almost) everything,” which added computer-use capabilities, local file access, an in-app browser, and image generation. On April 20, Chronicle arrived. On May 14, the mobile preview launched — letting you monitor and approve Codex tasks from the ChatGPT app on your phone. Then on May 21, locked-Mac control dropped. The sandbox didn’t evolve — it evaporated.
Chronicle Is Recall With a Different Name and Worse Encryption
Let’s be precise about what Chronicle does. Sandboxed background agents periodically capture screenshots of your screen. They extract text via OCR. They summarize selected frames into Markdown files stored locally. When you later ask Codex something vague — “fix this” or “continue what I was working on yesterday” — the agent reads those stored memories to figure out what you mean.
Solving the context problem is legitimately useful. But OpenAI’s own documentation lists the trade-offs with unusual directness: the feature “uses rate limits quickly, increases risk of prompt injection, and stores memories unencrypted on your device.” Selected screenshot frames get processed through OpenAI’s servers to generate those memories. Screenshots older than six hours are automatically deleted. But the Markdown memory files themselves? They sit on your machine, accessible to any other application running on it.
The prompt injection risk isn’t theoretical. Chronicle reads everything on screen at the time of capture — including web pages. If you browse a page containing hidden or disguised instructions (white text, invisible elements, crafted payloads), Codex may follow those instructions the next time it reads that memory. OpenAI’s own documentation recommends pausing Chronicle before meetings or when viewing sensitive material. Read that sentence again. The company is telling you their feature will capture things it shouldn’t, and making that your problem to manage.
The Security Surface Just Got Dramatically Larger
This isn’t speculation. In December 2025, BeyondTrust’s Phantom Labs found that Codex passed GitHub branch names directly into shell commands without sanitization. An attacker could embed malicious commands in a branch name and walk out with a victim’s GitHub authentication token in cleartext — with potential read/write access to the entire codebase. OpenAI patched it on February 5, 2026. But that vulnerability existed in the sandboxed version of Codex. The new surface area — full desktop control, ambient screen capture, locked-Mac operation, plugin ecosystem — is orders of magnitude larger.
Check Point Research’s Eli Smadja put it plainly after the branch-name exploit: “Don’t assume AI tools are secure by default.” Now apply that logic to a tool that can click through any application on your Mac while you’re asleep.
The Locked Mac Feature Is More Ambitious Than It Sounds
Here’s how it works: the Computer Use plugin gets installed and granted Screen Recording and Accessibility permissions on macOS. After that, Codex can click through windows, type, navigate menus, and interact with the clipboard in apps you explicitly allow. When the locked-Mac mode is active, your Mac displays a “Codex is Using Your Mac” overlay — but you’re not there to see it, because the entire point is that you’ve walked away.
You can send tasks from your phone and watch Codex operate your desktop remotely. For brave souls, there’s an “Always allow” setting that lets Codex bypass per-app permission prompts. OpenAI says it can’t automate Terminal apps, Codex itself, or system-level admin prompts. It also won’t work in the EU, UK, or Switzerland — which tells you everything about how confident OpenAI is that this feature survives contact with actual privacy regulators.
GPT-5.5 Makes the Agent Smarter — Which Makes the Stakes Higher
Underneath all of this sits GPT-5.5, released April 23 as the new default model for Codex tasks. On Terminal-Bench 2.0, which tests complex command-line workflows requiring planning, iteration, and tool coordination, GPT-5.5 scored 82.7% accuracy — OpenAI’s highest agentic-coding benchmark result ever. Cursor’s CEO said it “stays on task for significantly longer without stopping early.” It supports a one-million-token context window in the API and completes tasks with fewer tokens than GPT-5.4.
A smarter agent that stays on task longer is exactly what you want when the agent is helping you write code. It’s exactly what should concern you when the agent has full desktop control, ambient screen capture, and the ability to operate while you’re not watching.
The Real Question OpenAI Isn’t Answering
The four million weekly developers using Codex are being asked to make a trade: give up meaningful security boundaries in exchange for genuinely useful capabilities. The mobile preview is available on the free tier. Chronicle is Pro-only for now, but the direction is clear. OpenAI is building a product where the AI doesn’t just help you work — it watches you work, remembers what it saw, operates your computer autonomously, and does all of this on a locked machine you’re not sitting in front of.
Microsoft tried ambient screen capture with Recall and got hauled in front of regulators and security researchers before it even shipped. OpenAI is doing the same thing, adding full desktop control on top, and the response has been noticeably quieter. Maybe it’s because developers have a higher risk tolerance. Maybe it’s because OpenAI framed it as a coding tool rather than a consumer feature. Or maybe the AI hype cycle has simply moved the window of what people will accept from a company that asks for Screen Recording, Accessibility, and locked-Mac access in exchange for a promise that the agent won’t do anything you didn’t ask for.
The verdict: OpenAI Codex has become the most capable AI agent on any desktop — and the most permission-hungry. The features are genuinely impressive. The security posture is genuinely concerning. If you’re going to use it, disable Chronicle, audit your “Always allow” list weekly, and never forget that the company telling you to pause screen capture before meetings is the same company that built the screen capture feature in the first place.
