Hi,
When using the Formesign ChatGPT App to create forms, the permission dialog displays form field names (schema definitions) as if they are actual user data being shared.
Steps to reproduce:
-
Open ChatGPT with Formesign app enabled
-
Type: “@Formesign create employee onboarding form”
-
Observe the permission dialog
What happens:
The dialog shows “Sharing data includes:” followed by a list including SSN, BankAccount, Financial, etc. This implies the user’s actual personal data is being sent to Formesign.
What’s actually happening:
Formesign is sending form field definitions (the schema) to create a form that will collect these fields from future respondents. No actual user PII is being shared.
Why this is critical:
The current dialog makes it appear that clicking “Create Form” will share the user’s SSN, bank account, and government ID with a third-party app. This is factually incorrect and will cause users to click “Deny” for legitimate requests.
This bug affects any ChatGPT App that creates forms, templates, or documents containing sensitive field types. It will significantly hurt adoption of form-building apps in the marketplace.
Expected behavior:
The dialog should distinguish between:
-
Sending data schema/field definitions (what Formesign does)
-
Sending actual user PII (not happening here)
Screenshots above: Shows the misleading permission dialog for “create employee onboarding form” request.
thanks,
mani