Lesson 407 of 2116
Prompt-Injection Risks Specific To ChatGPT Plugins And Connectors
When ChatGPT can read your email, browse the web, or call APIs, attackers can hide instructions inside that content. The risk is real and the defenses are mostly hygiene.
Lesson map
What this lesson covers
Learning path
The main moves in order
- 1What prompt injection is in this context
- 2prompt injection
- 3indirect injection
- 4tool-use risk
Concept cluster
Terms to connect while reading
Section 1
What prompt injection is in this context
Direct prompt injection is when a user types adversarial instructions into ChatGPT. Indirect prompt injection is when ChatGPT reads content from a tool — a webpage, an email, a calendar invite — and that content contains instructions intended to override the system prompt. The model has no reliable way to tell instructions from data. That is the whole problem.
Where the risk concentrates in ChatGPT
- 1Browser tools — a webpage can include hidden text targeting agents.
- 2Email connectors — an inbound email can contain instructions to forward content.
- 3Document Q&A — a malicious uploaded file can carry an injection payload.
- 4Calendar invites — descriptions are user-controlled and reach the agent.
- 5Custom GPT actions — return data from your API can contain hostile text from third-party sources.
Compare the options
| Capability surface | Worst-case if injection succeeds | Mitigation |
|---|---|---|
| Browser / Operator | Agent visits attacker site, takes action | Approval gate every navigation |
| Email connector | Sensitive email forwarded to attacker | No 'send' action without explicit human approval |
| Document Q&A | Hidden instructions exfiltrate other docs | Strip / sanitize untrusted documents before indexing |
| Custom GPT action | Action calls attacker-controlled endpoint | Allowlist domains, never echo arbitrary URLs |
Practical defenses for non-engineers
- Treat any tool the model uses as if it could be hostile. Approve sends and reads explicitly.
- Never let an agent take an irreversible action from data it pulled in by itself.
- Scope connectors to the minimum needed. Revoke scope when the project ends.
- Watch for surprise actions — an agent that suddenly wants to email someone is a tell.
- Log everything your agent does. The audit trail is your only forensic tool.
Applied exercise
- 1List every connector and Custom GPT action your account has live.
- 2For each, write the worst-case outcome of a successful injection.
- 3Disable any whose worst-case is unacceptable.
- 4Set a 60-day reminder to repeat this audit.
Key terms in this lesson
The big idea: every tool you give the model expands the attack surface. Defense is mostly hygiene — minimum scope, explicit approvals, regular audits.
End-of-lesson quiz
Check what stuck
15 questions · Score saves to your progress.
Tutor
Curious about “Prompt-Injection Risks Specific To ChatGPT Plugins And Connectors”?
Ask anything about this lesson. I’ll answer using just what you’re reading — short, friendly, grounded.
Progress saved locally in this browser. Sign in to sync across devices.
Related lessons
Keep going
Creators · 20 min
Prompt-Injection Tests for Local Agents
Local agents still face prompt injection when they read documents, web pages, emails, or tool outputs.
Creators · 8 min
ChatGPT Memory: When To Enable, When To Turn It Off
Memory is supposed to make ChatGPT feel personal. It also quietly accumulates context that can pollute later conversations or leak into the wrong workspace.
Creators · 8 min
Sharing Chats Vs Sharing GPTs: What Leaks And What Doesn't
A shared chat link and a shared Custom GPT look similar but expose different things. Mixing them up is how creators leak more than they meant to.