Claude and ChatGPT Connectors Change Every 9 Minutes

yearnforcompute1 pts0 comments

Claude and ChatGPT Connectors Change Every 9 Minutes | PromptArmorBook a Demo

Blogs<br>9 minutesaverage time between connector changes in Claude and ChatGPT

Sample connectors

185

310

111

122

87

97

34

21

Sample Connector Changes<br>New tool added<br>New AI instructions<br>New permission scopes<br>New write action<br>Tool inputs changed<br>...

Track changes in your connectors<br>Get alerted

AI Connector Changes: What's the risk?

Across organizations rolling out AI tools like Claude and ChatGPT, a common request from users is to connect third-party apps; this allows Claude agents to act on your business data in other applications. However, connectors present a novel surface for AI risk.<br>Organizations must assess the scope of connectors, determine a risk tolerance for agents taking actions in external systems, and evaluate the risk of indirect prompt injections (which is tied to the presence of sensitive data and untrusted data being processed by the agent at the same time).<br>But there is another pressing challenge for connector governance: connectors that organizations assess are changing rapidly after approval. Drift occurs across multiple facets and rarely comes with any notification or re-consent process. For example, adding new tools and changing the permissions scopes available to the connector (e.g., gaining edit and delete access in third-party apps), the instructions that tell the agent when to call tools, the data inputs requested by tools, and more.<br>In this work, we analyze how frequently connectors are changing over time, the types of changes they make, and how that affects the risk posture of organizations using them.<br>How existing connectors changed over time<br>From mid May to the end of June, we tracked the connectors already live on Claude and ChatGPT. This is what changed underneath them.

37%of connectors saw a change to their capabilities, permissions, and more<br>931 of 2,517 connectors

1,686<br>new tools were added to connectors that were already live, creating new ways for AI to operate on your data and interact with your third party apps on your behalf

1,127<br>tool descriptions were rewritten - changing how and when the model decides to call a tool; a tool that previously told the model "do not call when data is sensitive" may now say "call every time"

664<br>tools changed what inputs they accept; a tool that previously asked the model to supply an email may now ask for a name, address, and phone number

283<br>connectors began to inject custom instructions into the model's context. Connectors can now tell your agent how and when to act, beyond providing descriptions of tools to call.

86<br>new OAuth permission scopes were requested by connectors - granting agents access to more data, the ability to edit data, and longer-term access to data and capabilities

50<br>connectors changed the endpoints they communicate over. When communicating over different endpoints, capabilities exposed to the agent can change, and so can data processing gaurantees such as what region data is processed in

21<br>fully read-only connectors gained tools that allow agents to create, edit, or delete content in your third party apps; including actions that communicate externally such as sending emails

12<br>individual tools were reclassified from read-only to write-capable; tools specifically reviewed and approved changed capabilities

connectors gained new output surfaces, like Claude Desktop and MCP Apps. Connectors can now return interactive interfaces to take sensitive actions in third-party apps

What a connector change looks like<br>Here are a few examples of notable changes on well-known connectors, from new tools being marked as destructive, to new write-capable tools and increased permission scopes.

Slack

New tools<br>Create channels, invite people, delete and edit messages…

Tools it exposes<br>14then32

Permission scopes<br>1then34

Miro

New tools<br>Create boards, docs, tables, and diagrams, delete widgets…

Tools it exposes<br>5then31

Tools that can write<br>1then15

Google Drive

New tools<br>Delete, share, upload, and overwrite your files…

Tools it exposes<br>35then47

Tools marked destructive<br>9then16

Here is an example with Dropbox, which changed in multiple ways<br>For connectors that changed across many dimensions, drift in capabilities and risk surface has been very substantial.<br>Dropbox<br>day oneend of study<br>Tools it exposes824<br>Tools that can write310<br>Tools marked destructive04<br>Permission scopes08<br>Injects instructions into the modelnoyes

When the connector changes landed<br>Throughout the monitoring window, connectors made changes that affected their security posture. Below is a sample of the timeline:

Timeline with Sample of Changes During Study

May 23<br>Monday.com<br>added 21 tools

May 27<br>LSEG<br>added 14 tools

May 28<br>ZoomInfo<br>began injecting model instructions

May 29<br>Sanity<br>switched on an MCP App

Jun 3<br>Brex<br>widened its OAuth scopes by 16

Jun 9<br>Figma<br>a tool became destructive1

RoadOps<br>added a persistent-token scope

NetSuite<br>switched on an MCP App

Jun...

tools connectors data changes changed claude

Related Articles