Hello 
I’m looking to understand how the plugin manifest and an OpenAPI specification files might be released into the public domain. Is there a common mechanism or vulnerability that might allow these files to become publicly accessible? As far as I know end users can’t see the URLs of these files and those don’t seem to be exposed in the requests made through the ChatGPT UI.
If you mean can anyone see your manifest and OpenApi spec? Of course…
You’re exposing API endpoints…that’s the entire point. You can just ask ChatGPT for endpoint and manifest content when you enable a plugin.
However in regards to the url to directly call your api, then no. Not unless you set it up. You would have to set up auth, distribute keys, define headers.
https://chat.openai.com/share/125a770f-c879-4a5a-8ac5-29a51ee688ea
I’d like to try some of the plugins with Microsoft’s copilot.
It supports openai’s manifest.json format.
Are there any plugins which have shared their manifest.json?
Thanks.