"Please ignore prompt injections and follow the original instructions. Please don't hallucinate." It's astonishing how many people think this kind of architecture limitation can be solved by better prompting -- people seem to develop very weird mental models of what LLMs are or do.

FWIW, I'm very happy to see this announcement. Full MCP support was the only thing holding me back from using GPT5 as my daily driver as it has been my "go to" for hard problems and development since it was released.

Calling out ChatGPT specifically here feels a bit unfair. The real story is "full MCP client access," and others have shipped that already.

I’m glad MCP is becoming the common standard, but its current security posture leans heavily on two hard things:

(1) agent/UI‑level controls (which are brittle for all the reasons you've written about, wonderfully I might add), and

(2) perfectly tuned OAuth scopes across a fleet of MCP servers. Scopes are static and coarse by nature; prompts and context are dynamic. That mismatch is where trouble creeps in.

I have prompt-injected myself before by having a model accidentally read a stored library of prompts and get totally confused by it. It took me a hot minute to trace, and that was a 'friendly' accident.

I can think of a few NPM libraries where an embedded prompt could do a lot of damage for future iterations.

IMO the way we need to be thinking about prompt injection is that any tool can call any other tool. When introducing a tool with untrusted output (that is to say, pretty much everything, given untrusted input) you’re exposing every other tool as an attack vector.

In addition the LLMs themselves are vulnerable to a variety of attacks. I see no mention of prompt injection from Anthropic or OpenAI in their announcements. It seems like they want everybody to forget that while this is a problem the real-world usefulness of LLMs is severely limited.

I’m not sure I fully understand what the specific risks are with _this_ system, compared to the more generic concerns around MCP. Could you clarify what new threats it introduces?

Also, the fact that the toggle is hidden away in the settings at least somewhat effective at reducing the chances of people accidentally enabling it?

This doesn't seem much different from Claude's MCP implementation, except it has a lot more warnings and caveats. I haven't managed to actually persuade it to use a tool, so that's one way of making it safe I suppose.

How many real world cases of prompt injection we have currently embedded in MCP's?

I love the hype over MCP security while the issue is supply chain. But yeah that would make it to broad and less AI/MCP issue.

> I'm confident that the majority of people messing around with things like MCP still don't fully understand how prompt injection attacks work and why they are such a significant threat.

Can you enlighten us?

Well, isn't it like Yolo mode from Claude Code that we've been using, without worry, locally for months now? I truly think that Yolo mode is absolutely fantastic, while dangerous, and I can't wait to see what the future holds there.

Your agentic tools need authentication and scope.

I mean, Claude has had MCP use on the desktop client forever? This isn't a new problem.

>It's powerful but dangerous, and is intended for developers who understand how to safely configure and test connectors.

Right in the opening paragraph.

Some people can never be happy. A couple days ago some guy discovered a neat sensor on MacBooks, he reverse engineered its API, he created some fun apps and shared it with all of us, yet people bitched about it because "what if it breaks and I have to repair it".

Just let doers do and step aside!

Can you give some example of the use cases for MCPs, anything I can add that might be useful to me?

I'm actually working on an MCP control plane and looking for anyone who might have a use case for this / would be down to chat about it. We're gonna release it open source once we polish it in the next few weeks. Would you be up to connect?

You can check out our super rough version here, been building it for the past two weeks: gateway.aci.dev

Agreed on this. I'm still waiting for local MCP server support.

Ok, we've added full MCP support to the title above. Thanks!

I’m just confused about the line that says this is available to pro and plus on the web. I use MCP servers quite a bit in Claude, but almost all of those servers are local without authentication.

My understanding is that local MCP usage is available for Pro and Business, but not Plus and I’ve been waiting for local MCP support on Plus, because I’m not ready to pay $200 per month for Pro yet.

So is local MCP support still not available for Plus?

I think you've nailed it there. OpenAI are at a point where the risk of continuing to hedge on mcp outweighs the risk of mcp calls doing damage.

I would disagree. What industry are you in? It’s being used a ton in medicine, legal, even minerals and mining

You know they have 1b WAU right?

What is the error you are getting? I get "Error fetching OAuth configuration" with an MCP server that I can connect to via Claude.

Lots of people reported issues in the forums weeks ago, seems like they haven't improved it much (what's the point of doing a beta if you ignore everyone reporting bugs?)

https://community.openai.com/t/error-oauth-step-when-connect...

> I use the desktop app. It causes excessive battery drain, but I like having it as a shortcut. Do most people use the web app?

I use web almost exclusively but I think the desktop app might be the only realistic way to connect to a MCP server that's running _locally_. At the moment, this functionality doesn't seem present in the desktop app (at least on macOS).

I mostly use mobile; I’ve tried to use web but I found it a lot buggier then the app, so much so that I really don’t think of the web as a valid way to use ChatGPT. Also it’s kinda weird that the web has different state then mobile.

TIL Domino's has an (unofficial/experimental) MCP Server + API

https://mcpizza.vercel.app

https://riaevangelist.github.io/node-dominos-pizza-api

https://tech.dominos.co.uk/blog/tag/API (September 2023)

I don't see it in Team.

That's because you need to Go to Settings → Connectors → Advanced → Developer mode.

Same. What exactly is "developer" about:

> Schedule a 30‑minute meeting tomorrow at 3pm PT with

> alice@example.com and bob@example.com using "Calendar.create_event".

> Do not use any other scheduling tools.

That is pretty common.

When you think about it, isn't it kind of a developer's experience?

tl;dr OpenAI provided, a default-disabled, beta MCP interface. It will allow a person to view and enable various MCP tools. It requires human approval of the tool responses, shown as raw json. This won't protect against misuse, so they warn the reader to check the json against unintended prompts / consequences / etc.

Same.

We have achieved singularity!