OpenAI has added a beta of Developer mode to ChatGPT, enabling full read and write support for MCP (Model Context Protocol) tools, though the documentation describes the feature as dangerous.
Developer community lead Edwin Arbussaid that "in developer mode, developers can create connectors and use them in chat for write actions (not just search/fetch). Update Jira tickets, trigger Zapier workflows or combine connectors for complex automations." Limitations in the initial beta are that developer mode does not work in Team workspaces or in project chats.
Arbus demonstrated how the feature could link ChatGPT to Stripe so that the AI can raise invoices and send them in response to a prompt. There is a Confirm button before an action is taken but this can be disabled for a trusted MCP server by checking an option to "remember for this conversation."
The response from users is enthusiastic in principle. "Full MCP support is a game-changer for devs. Now, building integrations and automating workflows directly in chat is smoother than ever,"said one. Other comments on X state that the feature is "much awaited", will make ChatGPT "10x more practically useful" and that it "changes the game for production workflows."
Some users have encountered bugs, either with connectors not working, or returning fictional information. One user connected ChatGPT to Atlassian's Jira issue tracking tool, asked it to summarize an issue, andreported that the tool was called, returned data, but that "GPT completely make up the summary, it's something completely different than in the Jira issue."
More serious problems are possible. Thedocumentation states that the feature is "powerful but dangerous, and is intended for developers who understand how to safely configure and test connectors. When using developer mode, watch for prompt injections and other risks, model mistakes on write actions that could destroy data, and malicious MPCs that attempt to steal information."
ChatGPT developer mode comes with a security warning
ChatGPT is popular among mainstream users, not just developers, making it more likely that risks are not understood. "Wow this is dangerous,"said Django co-creator and AI enthusiast Simon Willison. "It comes with plenty of warnings, but we all know how much attention people pay to those. I'm confident that the majority of people messing around with things like MCP still don't fully understand how prompt injection attacks work and why they are such a significant threat."
- AI-powered penetration tool, an attacker's dream, downloaded 10K times in 2 months
- Total recall: Mistral AI's Le Chat can now remember your conversations
- Google and Zed push protocol to pry AI agents out of VS Code's clutches
- Solo.io boss: I was wrong, I made mistakes – and that made me a better CEO
Acomment on X described how the feature might be used to exfiltrate email data by sending the victim a calendar invite that includes an instruction to ChatGPT to search private emails and send the data to the attacker. This could be triggered by the user asking ChatGPT to "help prepare for their day by looking at their calendar."
Industry adoption of MCP is proceeding at speed, and vendors who do not support it risk being left behind, even though security concerns are a good reason for caution. "Calling out ChatGPT specifically here feels a bit unfair," said a user on Hacker News, observing that others have already shipped similar features. ®
Biting the hand that feeds IT
