Claude and ChatGPT Connectors Change Every 9 Minutes
We tracked ChatGPT and Claude connectors for 6 weeks and found that a connector changes every nine minutes: gaining write access, widening its permissions, modifying its toolset, and more.
9 minutesaverage time between connector changes in Claude and ChatGPT
Sample connectors
185
310
111
122
87
97
34
21
?
?
Sample Connector Changes
New tool added
New AI instructions
New permission scopes
New write action
Tool inputs changed
...
Track changes in your connectors
AI Connector Changes: What's the risk?
Across organizations rolling out AI tools like Claude and ChatGPT, a common request from users is to connect third-party apps; this allows Claude agents to act on your business data in other applications. However, connectors present a novel surface for AI risk.
Organizations must assess the scope of connectors, determine a risk tolerance for agents taking actions in external systems, and evaluate the risk of indirect prompt injections (which is tied to the presence of sensitive data and untrusted data being processed by the agent at the same time).
But there is another pressing challenge for connector governance: connectors that organizations assess are changing rapidly after approval. Drift occurs across multiple facets and rarely comes with any notification or re-consent process. For example, adding new tools and changing the permissions scopes available to the connector (e.g., gaining edit and delete access in third-party apps), the instructions that tell the agent when to call tools, the data inputs requested by tools, and more.
In this work, we analyze how frequently connectors are changing over time, the types of changes they make, and how that affects the risk posture of organizations using them.
How existing connectors changed over time
From mid May to the end of June, we tracked the connectors already live on Claude and ChatGPT. This is what changed underneath them.
37%
of connectors saw a change to their capabilities, permissions, and more
931 of 2,517 connectors
1,686
new tools were added to connectors that were already live, creating new ways for AI to operate on your data and interact with your third party apps on your behalf
1,127
tool descriptions were rewritten - changing how and when the model decides to call a tool; a tool that previously told the model "do not call when data is sensitive" may now say "call every time"
664
tools changed what inputs they accept; a tool that previously asked the model to supply an email may now ask for a name, address, and phone number
283
connectors began to inject custom instructions into the model's context. Connectors can now tell your agent how and when to act, beyond providing descriptions of tools to call.
86
new OAuth permission scopes were requested by connectors - granting agents access to more data, the ability to edit data, and longer-term access to data and capabilities
50
connectors changed the endpoints they communicate over. When communicating over different endpoints, capabilities exposed to the agent can change, and so can data processing gaurantees such as what region data is processed in
21
fully read-only connectors gained tools that allow agents to create, edit, or delete content in your third party apps; including actions that communicate externally such as sending emails
12
individual tools were reclassified from read-only to write-capable; tools specifically reviewed and approved changed capabilities
8
connectors gained new output surfaces, like Claude Desktop and MCP Apps. Connectors can now return interactive interfaces to take sensitive actions in third-party apps
What a connector change looks like
Here are a few examples of notable changes on well-known connectors, from new tools being marked as destructive, to new write-capable tools and increased permission scopes.
Slack
New tools
Create channels, invite people, delete and edit messages…
Tools it exposes
14then32
Permission scopes
1then34
Miro
New tools
Create boards, docs, tables, and diagrams, delete widgets…
Tools it exposes
5then31
Tools that can write
1then15
Google Drive
New tools
Delete, share, upload, and overwrite your files…
Tools it exposes
35then47
Tools marked destructive
9then16
Here is an example with Dropbox, which changed in multiple ways
For connectors that changed across many dimensions, drift in capabilities and risk surface has been very substantial.
Dropbox
day oneend of study
Tools it exposes824
Tools that can write310
Tools marked destructive04
Permission scopes08
Injects instructions into the modelnoyes
When the connector changes landed
Throughout the monitoring window, connectors made changes that affected their security posture. Below is a sample of the timeline:
Timeline with Sample of Changes During Study
May 23
Monday.com
added 21 tools
May 27
LSEG
added 14 tools
May 28
ZoomInfo
began injecting model instructions
May 29
Sanity
switched on an MCP App
Jun 3
Brex
widened its OAuth scopes by 16
Jun 9
Figma
a tool became destructive1
RoadOps
added a persistent-token scope
NetSuite
switched on an MCP App
Jun 17
Benchling
added Claude Desktop as a surface
Jun 24
Zscaler
added 122 tools
Tableau
added 19 tools
Supermetrics
increased permissions scopes from read to write
Jun 27
Webflow
a tool became destructive1
1 “A tool became destructive” indicates that one or more tools was flagged as destructive by OpenAI.
Start monitoring your connectors
The model's context
Connectors tell agents how to act, and their instructions change constantly
A surface that did not exist a month ago
ChatGPT added a field, mcp_server_instructions, that lets a connector write instructions directly into the model's context. Adoption was immediate. While most connectors use this field to optimize agents' use of the connector, the field can also change the agent's behavior outside of the context of the connector or in ways the user may not want.
For example, the Aleph connector instructs agents to call a tool that collects feedback data on MCP server performance any time a tool provides bad results - this feedback could contain sensitive data the user was working with.
Aleph Connector Injected Instructions
“When a tool returns wrong/misleading/incomplete results, is missing for what the user asked, or required awkward workarounds, call submit_mcp_feedback.”
Connectors injecting model instructions over time
0
4
35
76
135
151
264
283
early Mayend June
Beyond the above, connectors use tool descriptions to inform the agent when and how to use the connector. These descriptions were edited very frequently, changing when and how agents choose to operate with third-party systems. This creates risks because it means that a tool that previously only worked with trusted data sources can change its description in a way that leads agents to activate the tool with untrusted data sources, or vice versa.
Tool-description rewrites per week
52
221
122
187
160
168
168
49
early Mayend June
The number of connectors keeps growing
The connector landscape expands every day. More connectors arrive every week, and the tools inside them grow even faster.
Number of connectors over time
ChatGPT connectors
1,014 to 1,933
+91%
early Mayend June
Claude connectors
428 to 535
+25%
early Mayend June
Connector counts for both apps climbed all month. ChatGPT nearly doubled its published third-party connectors; Claude's directory grew by a quarter, from 428 to 535.
Additionally, their tools multiplied faster
Connector count is only half of it. The callable tools inside, the actions the model can invoke, outpaced the directory itself.
Number of callable tools over time
ChatGPT tools (actions)
7,148 to 20,214
+183%
early Mayend June
Claude tools
5,905 to 7,750
+31%
early Mayend June
Tool sprawl outpaced connector count. ChatGPT's live action count nearly tripled, from about 7,100 to 20,200 callable actions; Claude's directory grew from 5,900 to 7,750 tools.
Existing connectors added tools
Existing connectors did not sit still. They grew new tools week after week, many of them able to act on your data.
New tools added to existing connectors, per week
53
185
276
240
300
280
281
71
early Mayend June
1,686 appeared in a month across Claude and ChatGPT, 196 of the ChatGPT ones flagged as destructive by OpenAI.
Furthermore, connectors got denser
The number of tools in a connector also increased, which means more surface behind approving a single connector.
Average tools per connector over time
ChatGPT tools per connector
7.05 to 10.46
+48%
early Mayend June
Claude tools per connector
14.65 to 15.38
+5%
early Mayend June
And more of those tools can write
Beyond expanding in size, connectors became more agentic and gained increased access to write capabilities.
Read-only vs. write actions over time
+4,385write actions
writeread-only
+460write tools
writeread-only
Both catalogs scaled their write actions as they grew, ChatGPT's write count by 222% and Claude's by 28%. Relative to the growth in read actions, though, they diverged.
For ChatGPT, the proportion of actions that write grew, as did the share of connectors with at least one write tool.
ChatGPT
Connectors with a write tool
38% to 46%
+8 pts
mid-Mayend June
Share of actions that write
27.6% to 31.5%
+3.9 pts
mid-Mayend June
Meanwhile, for Claude, both the proportion of actions that write and the share of connectors with a write tool held steady as the catalog grew.
Claude
Connectors with a write tool
54% to 55%
+1 pts
late Mayend June
Share of actions that write
28.0% to 27.3%
-0.7 pts
late Mayend June
Not every write is equal. ChatGPT flags which of its actions can delete or overwrite, and split three ways, that group grew the most, tripling from 798 to 2,415.
ChatGPT Action Classifications
read-only5,115 →13,8092.7x
write1,235 →3,9903.2x
destructive798 →2,4153.0x
Additionally, across Claude and ChatGPT, some connectors have gone from completely read-only to fully write-capable:
Read-Only Connectors Gained Write Capabilities
ChatGPT
16
5
Vendor volatility is not consistent
Throughout the vendor population, vendors changed at very different rates. One methodology organizations can use to proxy the risk of connectors enacting future changes is to analyze a connector's past volatility, or the volatility of connectors in the same industry.
Change events per connector, top vendors
310
185
142
136
122
111
104
97
92
88
87
70
64
64
61
58
55
52
Datadog
Zscaler
Monday.com
Aleph
Slack
Brex
GovTribe
GitHub
LSEG
Domotz
Dropbox
Linear
Figma
QuickBooks
S&P Global
BlueSuite
RoadOps
Amplitude
Change events per connector, across ChatGPT and Claude.
See every connector change across your vendors
PromptArmor Threat Intelligence
Is your organization protected from AI in vendors?
PromptArmor continuously monitors across your portfolio of third party AI in vendors, skills, plugins, connectors, MCP servers, models and more.
We detect vulnerabilities and changes like this, surfacing risk before it becomes an incident.