Last reviewed
May 9, 2026
Sources
No citations yet
Review status
Needs citations
Revision
v2 ยท 2,590 words
Add missing citations, update stale details, or suggest a clearer explanation.
See also: ChatGPT Plugins, ChatGPT Plugin Categories and Cybersecurity
Cybersecurity ChatGPT Plugins were a small, informal grouping of third-party extensions for ChatGPT that focused on security related tasks during the brief life of the ChatGPT plugins beta. The plugin system was announced by OpenAI on March 23, 2023 with twelve launch partners, opened more broadly to ChatGPT Plus subscribers on May 12, 2023, and was wound down on April 9, 2024 in favor of Custom GPTs and the GPT Store [1][2][3]. None of the original launch partners were security vendors, and OpenAI never published an official "cybersecurity" tab in the plugin store. The category emerged organically as third-party developers shipped tools for code review, vulnerability research, threat intelligence lookups, and audit reporting [1][4].
The history of cybersecurity plugins is unusual because the most widely reported security stories from that period concerned the plugin platform itself rather than the plugins it hosted. Researchers documented prompt injection, cross plugin request forgery, OAuth flaws, and account takeover paths affecting plugins broadly, with public disclosures from Embrace The Red and Salt Labs spanning May 2023 through March 2024 [5][6][7][8]. Today the page serves as a historical reference for a short window in which security practitioners experimented with the plugin model before the platform was retired.
ChatGPT plugins were a beta feature that allowed third-party services to extend ChatGPT with browsing, retrieval, and action calls through a manifest file and an OpenAPI spec. The official OpenAI post on March 23, 2023 introduced the system alongside twelve launch partners: Expedia, FiscalNote, Instacart, Kayak, Klarna, Milo, OpenTable, Shopify, Slack, Speak, Wolfram, and Zapier [1][2]. The list contained no dedicated security vendors. OpenAI also enabled two first party plugins: a browsing tool and a code interpreter sandbox.
The broad rollout to ChatGPT Plus users on May 12, 2023 brought a self serve plugin store, and the catalog expanded rapidly. By late May 2023 third party trackers counted more than 800 plugins, and by mid 2023 over 1,000 entries were listed, organized loosely by community curators rather than by formal OpenAI categories [9].
OpenAI announced Custom GPTs at its first DevDay on November 6, 2023, presenting them as a more flexible replacement for plugins [10]. The GPT Store opened on January 10, 2024 with categories for writing, productivity, education, lifestyle, programming, and others, but again no dedicated cybersecurity tab [11]. On February 23, 2024 OpenAI confirmed the wind down schedule for plugins. Installation of new plugins and the start of new plugin chats stopped on March 19, 2024, and existing plugin conversations were retired on April 9, 2024 [3][12].
| Date | Event |
|---|---|
| March 23, 2023 | Plugins announced with 12 launch partners [1] |
| May 12, 2023 | Broad rollout to ChatGPT Plus subscribers [2] |
| May 28, 2023 | Cross Plugin Request Forgery disclosed by Johann Rehberger [5] |
| June 25, 2023 | Salt Labs internal discovery of plugin OAuth flaws [7] |
| November 6, 2023 | OpenAI announces Custom GPTs at DevDay [10] |
| January 10, 2024 | GPT Store launches [11] |
| February 23, 2024 | OpenAI announces plugin wind down [3] |
| March 13, 2024 | Salt Labs publishes plugin vulnerability report [7][8] |
| March 19, 2024 | New plugin installs and new plugin chats disabled [3][12] |
| April 9, 2024 | Plugin beta fully retired [3][12] |
Cybersecurity themed plugins occupied several rough slots within the larger plugin catalog. Most belonged to one of these working groups based on the kinds of tasks they automated.
| Functional area | Typical capability |
|---|---|
| Source code review | Read code from a hosted repository and answer questions about vulnerabilities, dependencies, or weak patterns |
| Web reconnaissance | Fetch a URL or domain, summarize headers, certificates, technology fingerprints, and exposed metadata |
| Threat intelligence lookups | Query third party APIs for IP reputation, malware indicators, breach data, or domain WHOIS records |
| Compliance and audit reporting | Map a description of a system to controls in standards such as ISO 27001 or NIST SP 800 53 and draft summary reports |
| Plugin and API security testing | Probe a plugin's own OpenAPI surface for missing authentication, weak OAuth handling, and other developer mistakes |
A common workflow was conversational. A user might paste a snippet of code, attach a repository link, or describe a target environment, then ask ChatGPT to call the plugin and return findings. Because plugins could chain together, a single chat could browse a vendor advisory, then pull a related code repository, then draft a remediation note. This blending of retrieval and generation was the main attraction for security teams that wanted faster triage and reporting.
The practical limits were significant. Plugins could only act on what users explicitly enabled, calls were synchronous, and ChatGPT could enable at most three plugins per chat session during the beta. Long running scans, real time monitoring, and persistent agent style automation were out of scope.
The sources surveyed for this article reliably identify only a small number of plugins that were either explicitly security focused or routinely repurposed for security work. Many community lists of "top cybersecurity ChatGPT plugins" recommended general purpose plugins, such as web browsers and code readers, rather than tools built specifically for security. Plugins listed below are limited to those documented in independent reporting or in vendor disclosures.
| Plugin | Vendor or source | Function |
|---|---|---|
| AskTheCode | Independent developer (Dsomok) | Connected ChatGPT to a user supplied GitHub repository to answer questions about the code, including questions about insecure patterns. Mentioned in Salt Labs research as an example of a PluginLab framework user [7][8] |
| WebPilot | WebPilot.ai | Fetched and summarized URLs, often used by analysts to read advisories, threat reports, and pages behind redirects. Also documented as the test target in the May 2023 markdown image data exfiltration writeup [13] |
| SecureGPT | Escape.tech | Free dynamic application security testing tool that targeted the OpenAPI surface of other ChatGPT plugins, marketed to plugin developers who wanted to find missing authentication and broken object level authorization in their own work [14] |
| Zapier | Zapier | A general automation plugin frequently used in security workflows to wire ChatGPT to ticketing systems, mail, or chat, and the focus of the Cross Plugin Request Forgery proof of concept that demonstrated email exfiltration through indirect prompt injection [5] |
A "Cyber Security Audit" plugin idea was discussed in the OpenAI Developer Community in September 2023, framed as a semi autonomous helper that could scan code, check standards compliance, and compile reports [15]. Coverage of that thread is limited to community posts and is not corroborated by mainstream press, so it is recorded here as a community level effort rather than a verified released plugin.
Several plugins that community lists labeled as "cybersecurity" were really general utilities, including Wolfram for math heavy answers about cryptographic parameters and various web reading plugins. Those are linked through their host categories rather than treated as security products.
A distinct strand of the cybersecurity story is not about security plugins at all but about the plugin model as a class of risk. ChatGPT plugins exposed user data to third party endpoints, used OAuth to authenticate users with those endpoints, and let the model invoke them in response to instructions that could come from untrusted webpages. Each of those properties created a real attack surface.
Prompt injection in this period referred to manipulating a large language model by embedding hostile instructions in content the model was asked to read. With plugins active, an attacker could place instructions inside a webpage so that the browsing plugin retrieved them, the model interpreted them as a command, and another plugin acted on them on the user's behalf. The dedicated prompt injection page covers the broader concept in detail; the plugin specific case is sometimes called indirect prompt injection because the malicious instructions never come from the user.
Researcher Johann Rehberger described "Cross Plugin Request Forgery" on May 28, 2023. The proof of concept used the browsing plugin to read a malicious webpage, hijacked the conversation through indirect prompt injection, then directed the Zapier plugin to summarize a victim's email and exfiltrate the result through an attacker controlled URL. Zapier mitigated the attack by requiring authenticated confirmation before executing sensitive actions [5].
A related issue, disclosed to OpenAI on April 9, 2023 and published later that spring, exploited the way ChatGPT rendered markdown images. A plugin or a webpage could craft an image URL that included chat history as a query parameter, causing the browser to leak conversation contents to an attacker domain when the markdown image rendered. The technique was demonstrated against the WebPilot plugin and helped push OpenAI toward stricter URL handling [13].
The most widely reported plugin platform vulnerability disclosure came from Salt Labs, the research arm of Salt Security. The researchers said they began work in late June 2023, disclosed to OpenAI on July 10, 2023, and to PluginLab.AI and Kesem AI in September 2023, then released the public report on March 13, 2024 once fixes were in place [7][8].
The report described three classes of issue:
| Issue | Description |
|---|---|
| Malicious plugin installation | The plugin install flow used a non random state parameter that could be guessed, allowing an attacker to redirect a victim through a crafted approval link and silently install attacker controlled credentials [7][8] |
| Zero click account takeover via PluginLab | The PluginLab framework's auth.pluginlab.ai/oauth/authorize endpoint did not authenticate the requesting user properly, so an attacker could supply a victim's user identifier and receive an authorization code on the victim's behalf, leading to account takeover for plugins built on the framework, including AskTheCode [7][8] |
| OAuth redirect manipulation | Several plugins, including Charts by Kesem AI, did not validate redirect URIs, allowing an attacker to receive authorization codes intended for the victim by directing them to attacker controlled domains [7][8] |
Salt Labs, OpenAI, and the affected vendors confirmed that fixes were rolled out before public disclosure and that there was no evidence of in the wild exploitation [7][8]. The episode is a major reason that later coverage of plugins balanced functional praise with caution about the breadth of trust the model placed in third party endpoints.
With those constraints in mind, security practitioners who used the plugin system tended to fall into a small set of recurring tasks.
| Workflow | Plugins typically used |
|---|---|
| Reading a vendor advisory and summarizing its scope | A web browsing plugin such as WebPilot, sometimes paired with a code reading plugin to compare a fix against local code |
| Asking questions about a code repository | AskTheCode, with prompt engineering techniques to focus the model on security relevant patterns |
| Drafting compliance and audit text | A general writing plugin or built in browsing combined with hand crafted instructions referencing the relevant control catalog |
| Triaging an unknown URL or domain | A browsing plugin to fetch the page, then manual checks against external services for IP reputation, certificates, and DNS history |
| Testing a plugin's own surface | SecureGPT against the developer's own OpenAPI specification |
Seasoned practitioners treated plugin output as a draft rather than a verdict. The 2023 GPT-4 model that powered most plugin chats could miss vulnerabilities, fabricate function names, or invent CVE identifiers, so cross checking with primary sources stayed essential.
OpenAI's stated reason for retiring plugins was that Custom GPTs covered the same ground with a better builder experience and better controls [3][12]. From a security perspective, the old plugin model also accumulated a long list of platform issues, including the OAuth flaws documented by Salt Labs, the indirect prompt injection paths shown by Embrace The Red, and ongoing concerns about data leaving ChatGPT for third party endpoints with limited transparency.
Three practical reasons sit behind the retirement:
Most cybersecurity work that previously happened through plugins moved into one of three directions after April 2024.
| Successor | Notes |
|---|---|
| Security focused Custom GPTs | Builders rebuilt code review, threat lookup, and audit assistant flows as Actions inside a Custom GPT, often listed in the GPT Store. Categories on the store cover programming and productivity but not a dedicated security tab |
| Dedicated AI security products | Vendors including CrowdStrike, Microsoft, Google, and SentinelOne shipped their own assistants directly inside their security products, bypassing ChatGPT entirely |
| Open source agent frameworks | Projects such as PentestGPT and SecGPT moved offensive and defensive workflows into standalone code that talks to the OpenAI API or to local models |
A few of the original plugin developers, including AskTheCode and WebPilot, relaunched as GPTs in 2024. SecureGPT, the plugin testing tool, repositioned around testing GPT Actions and Model Context Protocol servers as the rest of the ecosystem evolved.