HN Reader

Wow this is dangerous. I wonder how many people are going to turn this on without understanding the full scope of the risks it opens them up to.

It comes with plenty of warnings, but we all know how much attention people pay to those. I'm confident that the majority of people messing around with things like MCP still don't fully understand how prompt injection attacks work and why they are such a significant threat.

AI companies: Agentic AI has been weaponized. AI models are now being used to perform sophisticated cyberattacks, not just advise on how to carry them out. We need regulation to mitigate these risks.

The same AI companies: here's a way to give AI full executable access to your personal data, enjoy!

I've been waiting for ChatGPT to get MCPs, this is pretty sweet. Next step is a local system control plane MCP to give it sandbox access/permission requests so I can use it as an agent from the web.

OpenAI should probably consider:

- enabling local MCP in Desktop like Claude Desktop, not just server-side remote. (I don't think you can run a local server unless you expose it to their IP)

- having an MCP store where you can click on e.g. Figma to connect your account and start talking to it

- letting you easily connect to your own Agents SDK MCP servers deployed in their cloud

ChatGPT MCP support is underwhelming compared to Claude Desktop.

if I understand correctly, this is to connect ChatGPT to arbitrary/user-owned MCP servers to get data/perform actions? Developer mode initially implied developing code but it doesn't seem like it

> It's powerful but dangerous, and is intended for developers who understand how to safely configure and test connectors.

So... practically no one? My experience has been that almost everyone testing these cutting edge AI tools as they come out are more interested in new tool shinyness than safety or security.

Personal opinion:

MCP for data retrieval is a much much better use case than MCPs for execution. All these tools are pretty unstable and usually lack reasonable security and protection.

Purely data retrieval based tasks lower the risk barrier and still provide a lot of utility.

Thinking about what Jony Ive said about “owning the unintended consequence” of making screens ubiquitous, and how a voice controlled, completely integrated service could be that new computing paradigm Sam was talking about when he said “ You don’t get a new computing paradigm very often. There have been like only two in the last 50 years. … Let yourself be happy and surprised. It really is worth the wait.”

I suspect we’ll see stronger voice support, and deeper app integrations in the future. This is OpenAI dipping their toe in the water of the integrations part of the future Sam and Jony are imagining.

First the page gave me an error message. I refreshed and then it said my browser was "out of date" (read: fingerprint resistance is turned on). Turned that off and now I just get an endless captcha loop.

I give up.

I tried adding Context7 Documentation MCP and got this

URL:https://mcp.context7.com/mcp Safety Scan: Passed

This MCP server can't be used by ChatGPT to search information because it doesn't implement our specification: search action not found https://platform.openai.com/docs/mcp#create-an-mcp-server

I tried to connect our MCP (https://technicalseomcp.com) but got an error.

I don't see any debugging features yet

but I found an example implementation in the docs:

https://platform.openai.com/docs/mcp

Is the focus on how dangerous mcp capabilities are a way to legitimize why they have been slow to adopt the mcp protocol? Or that they have internally scrapped their own response and finally caved to something that ideally would be a more security focused standard?

I've been using MCP servers with ChatGPT, but I've had to use external clients on the API. This works straight from the main client or on their website. That's a big win.

I don't understand how this is dangerous. Can someone explain how this is different than just connecting the MCP normally and prompting it to use the same tools? I understand that this is just a "slightly more technical" means to access the same tools. What am I missing?

Two replies to this comment have failed to address my question. I must be missing something obvious. Does ChatGPT not have any MCP support outside of this, and I've just been living in an Anthropic-filled cave?

I'd love to use this with AnkiConnect, so I can have it make cards during conversations.

A bit late to this discussion — but we've been looking at this problem for a while and have implemented a cryptographic approach I wrote about here: https://news.ycombinator.com/item?id=45244297_ID

TL;DR: We treat AI components like untrusted network services and apply mTLS-style verification. The aha! was in making security invisible to developers. It works.

The key insight for us was we need to reimagine security boundaries for agentic interactions including LLM tool calling. We built "Authenticated Workflows" - cryptographic enforcement at the tool layer. Intent is signed before the LLM sees it, tools verify independently, policies are cryptographically bound. Even confused LLMs can't forge signatures.

Technical details here: https://www.macawsecurity.com/blog/zero-trust-tool-calling-f...

Feedback and inputs much appreciated.

> Eligibility: Available in beta to Pro and Plus accounts on the web.

But not Team?

Maintained list of remote only MCP servers here: https://github.com/jaw9c/awesome-remote-mcp-servers

I've found LangGraph's tool approach to be easier to work with compared to MCP.

Any Python function can become a tool. There are a bunch of built in ones like for filesystem access.

I think the dangers are over stated. If you give it access to non-privileged data, use BTRFS snapshots and ban certain commands at the shell level, then no worries.

It's funny.

For decades, the software engineering community writ large has worked to make computing more secure. This has involved both education and significant investments.

Have there been major breaches along the way? Absolutely!

Is there more work to be done to defend against malicious actors? Always!

Have we seen progress over time? I think so.

But in the last few days, both Anthropic[0] and now OpenApi have put offerings into the world which effectively state to the software industry:

  Do you guys think you can stop us from making new
  and unstoppable attack vectors that people will
  gladly install, then blame you and not us when their
  data are held ransom along with their systems being
  riddled with malware?

  Hold my beer...

0 - https://www.anthropic.com/news/claude-for-chrome

The only thing missing now is support on mobile, then ChatGPT could be an actual assistant.

Can MCPs be called from advanced voice mode?

I wonder if this is going to be used by JetBrains AI in any capacity.

Eliezer Yudkowsky in shambles.

:)

Am I the only one who doesn’t know what MCP is/means? Of course I’m about to go look it up, but if someone can provide a brief description of what it is then I’d be very appreciative. Thanks!

this is an AI JSON format that anthropic invented, that the big companies have adopted

amazing, others have already shipped this, glad to see chatgpt joining the list

Zjjzzmmzmzkzkkz,z

Zmmzmzmzmmz

As Trump just said, "Here we go!".

LLMs making arbitrary real-world actions via MCP.

What could possibly go wrong?

Only the good guys are going to get this, right?

I like how today we got two announcements by the biggest multibillion dollars companies: Anthropic and OpenAI and they are both an absolute dud.

Man, that path to AGI sure is boring.

Create a pull request using "GitHub.open_pull_request" from branch "feat-retry" into "main" with title "Add retry logic" and body "…". Do not push directly to main.

-bwahaha

Can someone be clear about what this is? Just MCP support to their CLI coding agent? Or is it MCP support to their online chatbot?

The title should be: "ChatGPT adds full MCP support"

Calling it "Developer Mode" is likely just to prevent non-technical users from doing dangerous things, given MCP's lack of security and the ease of prompt injection attacks.

“We’ve found numerous MCP exploits from the official MCPs in our blog (https://tramlines.io/blog) and have been powering runtime guardrails to defend against lethal trifecta MCP attacks for a while now (https://tramlines.io)

Progress, but the real unlock will be local MCP/desktop client support. I don't have much interest in exposing all my local MCPs over the internet.

Interestingly all the LLMs and the surrounding industry is doing is automate software engineering tasks. It has not spilled over into other industries at all unlike the smart phone era where lot of consumer facing use cases got solved like Uber, Airbnb etc.. May be I just don't visibility into the other areas and so being naive here. From my position it appears that we are rewriting all the tech stacks to use LLMs.

> Eligibility: Available in beta to Pro and Plus accounts on the web.

I use the desktop app. It causes excessive battery drain, but I like having it as a shortcut. Do most people use the web app?

ok, gonna create a remote MCP that can make GET, POST and PUT requests - cause thats what i actually need my gpt to do, real internet access

GPT actions allowed mostly the same functionality, I don't get the sudden scare about the security implications. We are in the same place, good or bad.

Btw it was already possible (but inelegant) to forward Gpt actions requests to MCP servers, I documented it here

https://harmlesshacks.blogspot.com/2025/05/using-mcp-servers...

And here I am still waiting for some kind of hooks support for ChatGPT/Codex.

Dominos Pizza MCP would be sick

I'm confused and I'm a developer

"Hello? Yes, this is frog. 'Is the water getting warmer?' I can't tell, why do you ask?"

im enabling skynet but plz admire the vocabulary i used in my post