PromptArmor

2 in 5 Claude Connectors Call External AI

Claude's connector directory lets you plug third-party services into Claude. We reviewed all 487 connectors; 189 of them, roughly two in five, appear to call a second AI service to fulfill a request.

39%of the 487 connectors in Claude's directory may call another AI service
Claude
Connectors
+8
Subprocessors
+6
External AI models

Understand which tools call external AI

What does it mean that connectors are calling other AI?

Connectors let Claude take actions in third-party services. As an example, a connector may allow Claude to list emails from Outlook or send an email. However, as more and more apps integrate AI, we've found that third parties developing connectors are now exposing the AI features of their apps as connector tools. The issue is that these AI features may use third-party AI models and subprocessors that may not have been approved by your organization.

We reviewed all 7517 tools from the 487 Claude connectors available at the time of this publication, and assessed the risk of each tool routing requests through a second AI service downstream. Of the 487 connectors, 189, roughly two in five, contained tools that are highly likely to call additional AI services.

What the flagged tools do
The 386 flagged tools split across generation, retrieval, summarization, and domain-specific models.
Content / image / media generation
109
Semantic search / RAG retrieval
85
Summarization / Q&A
81
Recommendation / ranking
37
Transcription (ASR)
25
Extraction / document understanding
24
Domain-specific ML model
10
Other
15

Generation is the largest group: more than a quarter of the flagged tools create new content from your input. The rest search, summarize, transcribe, or extract it, and each one routes your data through a model to do it.

What are the risks
Connectors are calling AI tools that you may not have validated when you reviewed the vendor being connected. Each downstream call inherits that AI service's data practices, not just the vendor's.
  • Data residency: the downstream model can run in a region your DPA never approved, and may move without notice.
  • Training data and retention: your inputs may be retained, subject to human review, or used to train AI models.
  • Nth-party data processing: your data is sent from Claude to the connected app and then to an AI subprocessor such as Azure or even a model provider directly, such as the OpenAI API. Each of these providers may have differing data processing agreements.
  • Limited model governance: the model behind a connector's tool can be swapped with no visibility to the connector, impairing an organization's ability to vet whether tools are calling models that have not been approved by one's organization (such as DeepSeek).

As an example, if your Claude agent activates Zoom's connector tool to search meetings with natural language, and passes in a query containing sensitive data, Zoom AI may send that data to any of its twelve AI subprocessors in order to generate a response from one of ten different model families it uses.

AI-backed Connector Examples
Here are some examples of mainstream connectors flagged for having tools that leverage AI systems downstream.
Box
5/20 tools
Box AI reads your documents to answer questions.
Tools: AI QA Single File, AI QA Multi File, +3
Glean
6/8 tools
Semantic ranking over everything you connected to Glean.
Tools: Search, Code Search, +4
Adobe for creativity
8/67 tools
Generate and segment image content.
Tools: Generative Expand, Remove Background, +6
Zoom
1/5 tools
Natural-language search and Q&A over your meeting recordings and transcripts.
Tools: Search Meetings

Fun fact

In 54 connectors, at least half of their tools were flagged as AI-backed.

Know which connectors call other AI

PromptArmor Threat Intelligence

Is your organization protected from AI in vendors?

PromptArmor continuously monitors across your portfolio of third party AI in vendors, skills, plugins, connectors, MCP servers, models and more.

We detect vulnerabilities and changes like this, surfacing risk before it becomes an incident.

Learn more