Claude and ChatGPT Connectors Change Every 9 Minutes | PromptArmorBook a Demo
Blogs<br>9 minutesaverage time between connector changes in Claude and ChatGPT
Sample connectors
185
310
111
122
87
97
34
21
Sample Connector Changes<br>New tool added<br>New AI instructions<br>New permission scopes<br>New write action<br>Tool inputs changed<br>...
Track changes in your connectors<br>Get alerted
AI Connector Changes: What's the risk?
Across organizations rolling out AI tools like Claude and ChatGPT, a common request from users is to connect third-party apps; this allows Claude agents to act on your business data in other applications. However, connectors present a novel surface for AI risk.<br>Organizations must assess the scope of connectors, determine a risk tolerance for agents taking actions in external systems, and evaluate the risk of indirect prompt injections (which is tied to the presence of sensitive data and untrusted data being processed by the agent at the same time).<br>But there is another pressing challenge for connector governance: connectors that organizations assess are changing rapidly after approval. Drift occurs across multiple facets and rarely comes with any notification or re-consent process. For example, adding new tools and changing the permissions scopes available to the connector (e.g., gaining edit and delete access in third-party apps), the instructions that tell the agent when to call tools, the data inputs requested by tools, and more.<br>In this work, we analyze how frequently connectors are changing over time, the types of changes they make, and how that affects the risk posture of organizations using them.<br>How existing connectors changed over time<br>From mid May to the end of June, we tracked the connectors already live on Claude and ChatGPT. This is what changed underneath them.
37%of connectors saw a change to their capabilities, permissions, and more<br>931 of 2,517 connectors
1,686<br>new tools were added to connectors that were already live, creating new ways for AI to operate on your data and interact with your third party apps on your behalf
1,127<br>tool descriptions were rewritten - changing how and when the model decides to call a tool; a tool that previously told the model "do not call when data is sensitive" may now say "call every time"
664<br>tools changed what inputs they accept; a tool that previously asked the model to supply an email may now ask for a name, address, and phone number
283<br>connectors began to inject custom instructions into the model's context. Connectors can now tell your agent how and when to act, beyond providing descriptions of tools to call.
86<br>new OAuth permission scopes were requested by connectors - granting agents access to more data, the ability to edit data, and longer-term access to data and capabilities
50<br>connectors changed the endpoints they communicate over. When communicating over different endpoints, capabilities exposed to the agent can change, and so can data processing gaurantees such as what region data is processed in
21<br>fully read-only connectors gained tools that allow agents to create, edit, or delete content in your third party apps; including actions that communicate externally such as sending emails
12<br>individual tools were reclassified from read-only to write-capable; tools specifically reviewed and approved changed capabilities
connectors gained new output surfaces, like Claude Desktop and MCP Apps. Connectors can now return interactive interfaces to take sensitive actions in third-party apps
What a connector change looks like<br>Here are a few examples of notable changes on well-known connectors, from new tools being marked as destructive, to new write-capable tools and increased permission scopes.
Slack
New tools<br>Create channels, invite people, delete and edit messages…
Tools it exposes<br>14then32
Permission scopes<br>1then34
Miro
New tools<br>Create boards, docs, tables, and diagrams, delete widgets…
Tools it exposes<br>5then31
Tools that can write<br>1then15
Google Drive
New tools<br>Delete, share, upload, and overwrite your files…
Tools it exposes<br>35then47
Tools marked destructive<br>9then16
Here is an example with Dropbox, which changed in multiple ways<br>For connectors that changed across many dimensions, drift in capabilities and risk surface has been very substantial.<br>Dropbox<br>day oneend of study<br>Tools it exposes824<br>Tools that can write310<br>Tools marked destructive04<br>Permission scopes08<br>Injects instructions into the modelnoyes
When the connector changes landed<br>Throughout the monitoring window, connectors made changes that affected their security posture. Below is a sample of the timeline:
Timeline with Sample of Changes During Study
May 23<br>Monday.com<br>added 21 tools
May 27<br>LSEG<br>added 14 tools
May 28<br>ZoomInfo<br>began injecting model instructions
May 29<br>Sanity<br>switched on an MCP App
Jun 3<br>Brex<br>widened its OAuth scopes by 16
Jun 9<br>Figma<br>a tool became destructive1
RoadOps<br>added a persistent-token scope
NetSuite<br>switched on an MCP App
Jun...