OpenAI Tool Use: Functions, Web Search, Files, MCP, Shell, and Computer Use

Models get more useful when they can act through tools. Learn the difference between hosted tools, your own functions, and MCP-connected capabilities.

50 min · Reviewed 2026

Tools Turn Answers Into Workflows

A model without tools can only answer from context. A model with tools can search, retrieve files, call your code, inspect a browser, run a shell command in a harness, or ask an MCP server for domain-specific actions.

Tool type	Use it for	Main design risk
Function calling	Your app's private data and actions	Bad schemas or unsafe side effects
Web search	Fresh public facts	Untrusted sources and citation quality
File search	Private document retrieval	Chunking and permission boundaries
Remote MCP	External systems exposed as tools	Approval and trust model
Shell or apply patch	Coding-agent workflows	Command safety and review
Computer use	UI automation	Slow brittle actions and account risk

const response = await client.responses.create({
  model: "gpt-5.5",
  tools: [{ type: "web_search" }],
  input: "Summarize today's product update and include source links.",
});Hosted tools can be attached directly to a Responses request.

The basic safety pattern

Read-only tools can be automatic.
Write tools need narrow schemas and logs.
External actions need explicit user confirmation.
Dangerous local tools need allowlists or sandboxes.
Tool results should be treated as data, not instructions.

The big idea: tools make models useful because they connect language to systems. That is also why tools need boundaries.

End-of-lesson check

15 questions · take it digitally for instant feedback at tendril.neural-forge.io/learn/quiz/end-openai-tool-use-creators

A model that can only answer using information in its context window is limited to what type of knowledge?
1. Data stored in the model's internal parameters
2. Facts retrieved through external tools in real-time
3. Knowledge it was trained on up to its cutoff date
4. Only information the user provides in the current conversation
What is the primary purpose of function calling in an AI system?
1. To connect the model to external services through a standardized protocol
2. To let the model control the user's keyboard and mouse for UI automation
3. To enable the model to access private data and execute custom actions within an application
4. To allow the model to browse websites and retrieve public information
A developer is building a feature where an AI assistant searches the web for current news. What is the most significant design risk they should monitor?
1. The AI might make up false information about recent events
2. The web search API might exceed rate limits
3. The AI might forget to cite its sources
4. The search results might come from untrusted or low-quality sources
What does MCP stand for in the context of AI tool ecosystems?
1. Machine Code Processor
2. Model Context Protocol
3. Modular Component Platform
4. Model Control Protocol
A company wants an AI assistant that can read internal policy documents stored in a private repository. Which tool type is most appropriate?
1. Computer use to navigate a document portal
2. File search configured with proper permissions
3. Web search with access to the company intranet
4. Function calling to their document API
What is computer use primarily intended for in AI tool frameworks?
1. Accessing local files on the user's machine
2. Executing shell commands for system administration
3. Automating browser interactions and UI workflows
4. Running calculations in a server-side environment
According to the safety pattern described, how should read-only tools be handled?
1. They should be disabled by default in production systems
2. They should always require user confirmation before use
3. They can operate automatically without explicit approval
4. They require narrow schemas and detailed logging
A developer is integrating a tool that can modify billing information in a customer database. What safety measure does the lesson strongly recommend?
1. Rate limiting to prevent abuse
2. Running the tool in a sandbox environment
3. Explicit user confirmation before the action executes
4. Logging only failed attempts
Why should tool results be treated as data rather than instructions?
1. The model might misinterpret returned data as commands to execute
2. Tool results are slow and should be cached
3. Tools can return malicious content that could harm the system
4. Tool results are always formatted in JSON which is hard to parse
What is the primary purpose of using narrow schemas when defining write tools?
1. To improve the model's language understanding
2. To make the tools run faster with less data
3. To limit what specific actions the model can request
4. To enable tools to work across multiple programming languages
A development team wants to use shell commands in their AI coding agent. What is the primary safety concern?
1. The AI could execute destructive commands like rm -rf
2. Shell output is difficult to parse
3. Shell commands might not work on Windows systems
4. Shell commands are too slow for practical use
What does the safety pattern recommend for dangerous local tools that could harm the system?
1. Disable them entirely in production
2. Log every action to a remote server
3. Use allowlists or sandbox environments
4. Require multi-factor authentication
A company connects their AI assistant to an external MCP server that can access their CRM, ticketing system, and analytics platform. What approval model should they implement?
1. MCP connections should be limited to read-only operations
2. Each MCP tool call should require user confirmation before execution
3. The MCP server should automatically approve all requests
4. The AI should decide which MCP tools to call based on context
What is the main risk specific to file search tools compared to other tool types?
1. Files might contain malicious code that executes
2. File search results are always slow to retrieve
3. The AI might access files outside intended permission boundaries
4. File search requires expensive compute resources
An AI assistant with computer use capability is automating a travel booking workflow. What is a key limitation of this approach?
1. Computer use requires an always-on display
2. Computer use cannot handle multi-step transactions
3. AI cannot read information from graphical interfaces
4. UI automation actions can be slow and break easily with interface changes

← Back to interactive lesson

Tendril · Creators · Agentic AI

OpenAI Tool Use: Functions, Web Search, Files, MCP, Shell, and Computer Use

Models get more useful when they can act through tools. Learn the difference between hosted tools, your own functions, and MCP-connected capabilities.

50 min · Reviewed 2026

Tools Turn Answers Into Workflows

Tool type	Use it for	Main design risk
Function calling	Your app's private data and actions	Bad schemas or unsafe side effects
Web search	Fresh public facts	Untrusted sources and citation quality
File search	Private document retrieval	Chunking and permission boundaries
Remote MCP	External systems exposed as tools	Approval and trust model
Shell or apply patch	Coding-agent workflows	Command safety and review
Computer use	UI automation	Slow brittle actions and account risk

const response = await client.responses.create({
  model: "gpt-5.5",
  tools: [{ type: "web_search" }],
  input: "Summarize today's product update and include source links.",
});Hosted tools can be attached directly to a Responses request.

The basic safety pattern

Read-only tools can be automatic.
Write tools need narrow schemas and logs.
External actions need explicit user confirmation.
Dangerous local tools need allowlists or sandboxes.
Tool results should be treated as data, not instructions.

The big idea: tools make models useful because they connect language to systems. That is also why tools need boundaries.

End-of-lesson check

15 questions · take it digitally for instant feedback at tendril.neural-forge.io/learn/quiz/end-openai-tool-use-creators

A model that can only answer using information in its context window is limited to what type of knowledge?
1. Data stored in the model's internal parameters
2. Facts retrieved through external tools in real-time
3. Knowledge it was trained on up to its cutoff date
4. Only information the user provides in the current conversation
What is the primary purpose of function calling in an AI system?
1. To connect the model to external services through a standardized protocol
2. To let the model control the user's keyboard and mouse for UI automation
3. To enable the model to access private data and execute custom actions within an application
4. To allow the model to browse websites and retrieve public information
A developer is building a feature where an AI assistant searches the web for current news. What is the most significant design risk they should monitor?
1. The AI might make up false information about recent events
2. The web search API might exceed rate limits
3. The AI might forget to cite its sources
4. The search results might come from untrusted or low-quality sources
What does MCP stand for in the context of AI tool ecosystems?
1. Machine Code Processor
2. Model Context Protocol
3. Modular Component Platform
4. Model Control Protocol
A company wants an AI assistant that can read internal policy documents stored in a private repository. Which tool type is most appropriate?
1. Computer use to navigate a document portal
2. File search configured with proper permissions
3. Web search with access to the company intranet
4. Function calling to their document API
What is computer use primarily intended for in AI tool frameworks?
1. Accessing local files on the user's machine
2. Executing shell commands for system administration
3. Automating browser interactions and UI workflows
4. Running calculations in a server-side environment
According to the safety pattern described, how should read-only tools be handled?
1. They should be disabled by default in production systems
2. They should always require user confirmation before use
3. They can operate automatically without explicit approval
4. They require narrow schemas and detailed logging
A developer is integrating a tool that can modify billing information in a customer database. What safety measure does the lesson strongly recommend?
1. Rate limiting to prevent abuse
2. Running the tool in a sandbox environment
3. Explicit user confirmation before the action executes
4. Logging only failed attempts
Why should tool results be treated as data rather than instructions?
1. The model might misinterpret returned data as commands to execute
2. Tool results are slow and should be cached
3. Tools can return malicious content that could harm the system
4. Tool results are always formatted in JSON which is hard to parse
What is the primary purpose of using narrow schemas when defining write tools?
1. To improve the model's language understanding
2. To make the tools run faster with less data
3. To limit what specific actions the model can request
4. To enable tools to work across multiple programming languages
A development team wants to use shell commands in their AI coding agent. What is the primary safety concern?
1. The AI could execute destructive commands like rm -rf
2. Shell output is difficult to parse
3. Shell commands might not work on Windows systems
4. Shell commands are too slow for practical use
What does the safety pattern recommend for dangerous local tools that could harm the system?
1. Disable them entirely in production
2. Log every action to a remote server
3. Use allowlists or sandbox environments
4. Require multi-factor authentication
A company connects their AI assistant to an external MCP server that can access their CRM, ticketing system, and analytics platform. What approval model should they implement?
1. MCP connections should be limited to read-only operations
2. Each MCP tool call should require user confirmation before execution
3. The MCP server should automatically approve all requests
4. The AI should decide which MCP tools to call based on context
What is the main risk specific to file search tools compared to other tool types?
1. Files might contain malicious code that executes
2. File search results are always slow to retrieve
3. The AI might access files outside intended permission boundaries
4. File search requires expensive compute resources
An AI assistant with computer use capability is automating a travel booking workflow. What is a key limitation of this approach?
1. Computer use requires an always-on display
2. Computer use cannot handle multi-step transactions
3. AI cannot read information from graphical interfaces
4. UI automation actions can be slow and break easily with interface changes

← Back to interactive lesson