If you have an MCP tool that can perform write actions and you use it in a context where an attacker may be able to sneak their own instructions into the model (classic prompt injection) that attacker can make that MCP tool do anything they want.

▲

CGamesPlay 5 days ago | parent [-]

How is this "developer mode" different than just connecting the MCP normally and prompt injecting it to use the same tools?

	▲	simonw 5 days ago \| parent [-]
		It's no different. This just brings that unsafe anti-pattern to the ChatGPT consumer app itself - albeit hidden behind an option with a scary name that might hopefully discourage many users who don't understand the consequences from turning it on.