LEGALAUDIT

Scam Watch

How can you recognize ChatGPT plugin / GPT store manifest poisoning?

TLDR

Attacker publishes a ChatGPT plugin or custom GPT with an innocuous description but malicious instructions inside the manifest / OpenAPI spec; when users invoke it, the plugin can exfiltrate conversation context (including pasted secrets,...

How it works

Attacker publishes a ChatGPT plugin or custom GPT with an innocuous description but malicious instructions inside the manifest / OpenAPI spec; when users invoke it, the plugin can exfiltrate conversation context (including pasted secrets,...

Red flags

  • Urgent pressure to click, pay, or share codes immediately.
  • A link or sender that does not match the official organization.
  • Requests for card data, passwords, OTPs, wallet signatures, or bank transfers.

What to do

  1. 1Tells: 1) plugin requests broad scopes (browse, mail, code execution); 2) manifest description doesn't match actual capability; 3) plugin author is anonymous / new; 4) reviews are sparse or AI generated; 5) responses include URLs / sidebar mentions to attacker domain.
  2. 2DO: only enable verified plugins from known publishers; never paste secrets into any GPT; for enterprises, deploy a vetted GPT allow list.

Source

ENISA-Threat-Landscape-2024

Source reviewed by Mythos Forensic Team

https://www.enisa.europa.eu/publications/enisa-threat-landscape-2024

FAQ

Is ChatGPT plugin / GPT store manifest poisoning a real scam pattern?

Yes. Treat the message, call, or payment request as suspicious until you verify it through an official channel.

What are the first warning signs?

Urgent pressure to click, pay, or share codes immediately.; A link or sender that does not match the official organization.; Requests for card data, passwords, OTPs, wallet signatures, or bank transfers.

What should I do first?

Tells: 1) plugin requests broad scopes (browse, mail, code execution); 2) manifest description doesn't match actual capability; 3) plugin author is anonymous / new; 4) reviews are sparse or AI generated; 5) responses include URLs / sidebar mentions to attacker domain.; DO: only enable verified plugins from known publishers; never paste secrets into any GPT; for enterprises, deploy a vetted GPT allow list.

Can LegalAudit check my case?

Yes. Start a free chat and paste the message, link, sender, or payment details for triage.