OpenAI Apps MCP
Fail
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: CRITICALPROMPT_INJECTION
Full Analysis
- [Indirect Prompt Injection] (LOW): The skill defines Model Context Protocol (MCP) tools that process untrusted user input (e.g., city and cuisine parameters). While no exploit is present, this represents a standard injection surface common to tool-using agents. Evidence: 1. Ingestion points: request.params.arguments in tool handlers within references/openai-metadata-format.md. 2. Boundary markers: Absent in the provided template code. 3. Capability inventory: The tools can perform network requests and return data to the LLM. 4. Sanitization: Input validation or escaping is not explicitly demonstrated in the example boilerplate.
- [SAFE] (SAFE): Automated scanner alerts for 'request.params.name' and 'window.openai.ca' were evaluated and dismissed as false positives. The alerts appear to be triggered by standard API property names and method calls such as window.openai.callTool within the project's documentation.
Recommendations
- Contains 2 malicious URL(s) - DO NOT USE
Audit Metadata