Claude Connectors Are a Data-Leak Risk. Here's the Fix. (2026)

Matt Payne · ·Updated ·7 min read
Key Takeaway

Claude's 200+ connectors hold active OAuth tokens even when idle. A Material Security study found 47.2% of connected apps sit dormant 90+ days with permissions intact. Run a 10-minute audit, build a read-only shadow pipeline, and strip every scope to the minimum before connecting anything.

Claude Connectors Are a Data-Leak Risk. Here's the Fix.

Step 1: Know What Claude Can Actually Touch

Most people click "Connect" without reading the permissions screen. That's a mistake.

Here's what Claude's connectors can access right now, per Anthropic's own docs:

Google Drive: Search and read Docs, Sheets, Slides, PDFs, and Office files. Upload any file type. Create folders. View file permissions. List recent changes. Save Claude-generated files directly to your Drive.

Gmail: Search and read emails. Access email metadata. Draft emails in your account. Manage labels and threads. Claude can't send emails — but it can draft them, which means it's composing messages with access to your inbox context.

Google Calendar: View all events including shared calendars. Create, update, and delete events. Manage attendee lists. Respond to invitations on your behalf.

Microsoft 365 (as of July 7, 2026): Anthropic added write tools. Claude can now draft and send emails, manage calendar events, update mailbox settings, and create files in OneDrive and SharePoint. Teams is still read-only.

Notion: Read pages and databases. Create and update content directly.

Slack: Search conversations. Summarize threads. Draft messages.

That's not a chat assistant. That's an agent with keys to your entire workspace.

Step 2: Build a Read-Only Shadow Pipeline

Never connect Claude directly to your production workspace. Not your main Google Drive. Not your primary Slack. Not the Notion database with your client contracts.

Build a read-only shadow pipeline instead. It takes about 20 minutes.

Create a dedicated service account. In Google Workspace Admin, create a new user — something like `claude-reader@yourdomain.com`. In Notion, create a guest with comment-only access. In Slack, create a single-channel guest account.

Share only what Claude needs. Don't give it your whole Drive. Create one shared folder called "Claude Input" and drop only the files you want Claude to analyze. In Notion, share specific pages, not your entire workspace. In Slack, add the guest account to one channel where you post content for Claude to summarize.

Set permissions to view-only. Google Drive: Viewer. Notion: Can view (not edit). Slack: single-channel guest with no posting rights.

Export, don't connect. For the most sensitive work, skip connectors entirely. Export the data as a PDF or CSV, upload it manually, and keep Claude's access completely disconnected from your live systems.

This costs you nothing. It takes 20 minutes to set up. And it means if something goes wrong — a prompt injection, an overbroad scope, a token that persists too long — Claude can only see copies of your data, not touch the originals.

Step 3: Set Least-Privilege Scopes for Each Connector

The OhAuth audit from Offroad looked at 2,890 OAuth app listings across Google Workspace Marketplace and GitHub Marketplace. 677 of them requested at least one permission beyond their stated function. Those apps have a combined install footprint of 1.82 billion.

Apps ask for more than they need because OAuth scope catalogs are blunt instruments. Google doesn't offer an "edit without delete" scope for Sheets, so any app that needs to write to one spreadsheet gets a scope that allows deletion across every spreadsheet you can reach.

Here's how to set least-privilege scopes for each Claude connector:

Google Drive: When connecting, use Google Workspace Admin Console > Security > API Controls > App Access Control. Restrict the Claude app to "Drive (read-only)" scope. Block `drive.file` write access unless you specifically need Claude to save files back to Drive. You probably don't.

Gmail: Restrict to `gmail.readonly` and `gmail.metadata`. Block `gmail.compose` and `gmail.modify` unless you want Claude drafting emails with your inbox as context. For most marketing use cases, read-only is enough.

Slack: Use Slack's OAuth scope settings to grant only `channels:read` and `channels:history`. Block `chat:write`, `files:write`, and anything with `:write` in the name. If Claude doesn't need to post messages, don't let it.

Notion: When sharing pages with your Claude integration, use "Can view" permissions. Don't grant "Can edit" unless you've specifically tested what Claude does with write access in that workspace.

Microsoft 365: After July 7, 2026, Anthropic's 365 connector includes write tools by default. A Microsoft Entra admin must consent to the updated permission set. My strong recommendation: don't consent. Keep it read-only until you have a specific, tested use case for write access.

Step 4: Run the 10-Minute Permissions Audit

Material Security analyzed 22,332 OAuth-connected apps across 21 Google Workspace environments. 47.2% had no active usage in 90 days, but their OAuth tokens were still valid.

Almost half the apps connected to those workspaces were doing nothing except holding the door open.

Before you connect Claude to anything, run this audit. Set a timer. Ten minutes.

Minutes 1-3: List every connected app.

  • Google: Admin Console > Security > API Controls > "Manage Third-Party App Access." Export the list.
  • Slack: Settings > Manage Apps > Installed Apps. Screenshot it.
  • Notion: Settings & Members > Connections. Screenshot it.

Minutes 3-5: Flag anything dormant. Any app nobody's used in 90 days? Revoke it. Right now. That Material Security study says almost half your connected apps fall into this category. Each one is an open OAuth token with permissions your team forgot about.

Minutes 5-7: Check scope levels. For each remaining app, click into its permissions. Ask one question: does this app need write access? If the answer isn't an obvious yes, downgrade it to read-only. The OhAuth audit found 266 apps with Drive access and high-tier, off-purpose permissions across 1.26 billion installs. Your workspace probably has a few of these.

Minutes 7-9: Check MFA status. Kaseya's 2026 SaaS Security Report found 56% of end-user accounts had MFA disabled or inactive. If the account connecting Claude to your tools doesn't have MFA enabled, you've got a bigger problem than connector permissions. Fix that first.

Minute 10: Document what's left. Take a screenshot of your cleaned-up connected apps list. Save it. You'll compare against it next month.

Ten minutes. No consultants. No security audit proposals. Just you, your admin panel, and the willingness to revoke things.

Step 5: Set a Recurring Monthly Review

Anthropic ships connector updates fast. They went from 0 connectors to 200+ since July 2025. They added Microsoft 365 write tools on July 7, 2026. They shipped enterprise-managed auth via Okta on June 18, 2026. The permissions you set today might not match what the connector requests next month.

The Material Security study found that 91% of AI and automation apps in their dataset appeared in just the last 16 months. People are connecting tools faster than IT can track them.

Put a 10-minute calendar block on the first Monday of every month. Run the same audit from Step 4. Compare against last month's screenshot. If a new connector appeared that nobody approved, revoke it and ask questions later.

If you're on a Claude Team or Enterprise plan, Anthropic now lets an Owner or Primary Owner enable connectors at the org level before individual users can authenticate. Use that. Don't let individual team members connect tools without approval.

Anthropic's enterprise-managed auth (launched June 18, 2026) lets you provision connectors through Okta. If you're already using Okta, this is the right move. Connector access gets governed by the same IdP that manages the rest of your stack. Revoke someone in Okta, and their Claude connectors go with them.

FAQ

Are Claude connectors safe to use?

Claude connectors are safe if you configure them correctly. The risk isn't Claude itself — it's the OAuth permissions you grant. The OhAuth audit found 32% of marketplace OAuth apps carry at least one structural risk signal. StoryPros recommends running a permissions audit before connecting any tool and using read-only access as your default.

What data can Claude access through connectors?

Claude can access Google Drive files (Docs, Sheets, Slides, PDFs), Gmail messages and metadata, Google Calendar events, Slack conversations and threads, Notion pages and databases, and Microsoft 365 email, calendar, OneDrive, and SharePoint files. As of July 7, 2026, the Microsoft 365 connector includes write capabilities, meaning Claude can draft, send, and organize email and create files in OneDrive.

How do I limit connector permissions for Notion, Slack, and Drive?

For Google Drive, restrict the Claude app to `drive.readonly` scope via Google Workspace Admin Console under API Controls. For Slack, grant only `channels:read` and `channels:history` scopes and block anything with `:write`. For Notion, share specific pages with "Can view" permissions instead of granting workspace-wide edit access. StoryPros recommends building a shadow pipeline with a dedicated service account that only has view-level permissions to a limited set of shared resources.

What is a read-only shadow pipeline for Claude?

A read-only shadow pipeline is a setup where you create a dedicated service account (like `claude-reader@yourdomain.com`), share only specific files or pages with view-only permissions, and connect Claude to that restricted account instead of your primary workspace. Claude can read the data you choose without write access to your production systems.

How often should I audit Claude connector permissions?

Monthly. Material Security found that 47.2% of OAuth-connected apps in Google Workspace environments had no active usage in 90+ days but retained valid tokens. Anthropic ships connector updates frequently — they added 200+ connectors since July 2025 and expanded Microsoft 365 write access in July 2026. A 10-minute monthly review catches new connections, dormant tokens, and scope changes before they become problems.

AI Answer

What can Claude connectors actually access in my Google account?

Claude connectors can read and search all your Drive files including Docs, Sheets, Slides, and PDFs. The Gmail connector reads emails and metadata and can draft messages in your inbox. The Google Calendar connector can create, update, and delete events and respond to invitations on your behalf.

AI Answer

How do I limit Claude's permissions to read-only in Google Drive and Slack?

In Google Workspace Admin Console, go to Security, then API Controls, then App Access Control and restrict Claude to the drive.readonly scope. For Slack, grant only channels:read and channels:history and block every scope with :write in the name. A dedicated service account like claude-reader@yourdomain.com keeps Claude out of your production workspace entirely.

AI Answer

How many OAuth-connected apps are sitting dormant with active tokens?

A Material Security study of 22,332 OAuth apps across 21 Google Workspace environments found 47.2% had no active usage in 90 days but still held valid tokens. Each dormant token is an open permission set your team forgot about. Revoking unused apps takes under 3 minutes per the 10-minute audit in this guide.