Authority-Bearing Connector
A connector, MCP server, plugin, or tool integration whose installation or activation adds meaningful runtime authority such as execution, outbound messaging, file access, credential reach, or financial influence.
An Authority-Bearing Connector is any connector, MCP server, plugin, SDK-backed tool integration, or hosted bridge that materially changes what an AI system is allowed to do once it is installed or enabled. The important point is not whether the connector looks sensitive in a product UI. The important point is whether it expands real runtime authority.
That authority may include shell or subprocess execution, file read or write, outbound messaging, webhook dispatch, browser control, access to credentials or environment variables, wallet-adjacent transaction drafting, or influence over routing and counterparties in financial systems. In other words, the connector changes the blast radius of the agent even if the user only experiences it as “adding a tool.”
This term matters because many teams still review connector onboarding as if it were a narrow supply-chain decision. They check the package source, maybe pin a version, and move on. That is incomplete. An authority-bearing connector should be reviewed as a security boundary in its own right. The onboarding flow determines which new tools appear in the tool catalog, which tool descriptors reach the model, which configuration values influence transport or process spawn, and which identities or destinations the runtime can now touch.
The recent MCP incident record makes the concept practical rather than theoretical. The trojanised Postmark connector turned a vendor-looking install into a silent outbound exfiltration sink. The gemini-mcp-tool case showed that a connector with a harmless-looking name could hide command-execution semantics. The Anthropic MCP SDK design flaw showed that connector configuration itself can become a process-spawn attack path. In each case, the system became dangerous not only when the tool was used, but from the moment the connector's authority was trusted.
For auditors, the term helps separate low-impact connectors from high-impact ones. A passive lookup tool and a connector that can spawn processes or message counterparties should not go through the same review path. Authority-bearing connectors need stricter provenance checks, tighter approval semantics, clearer visibility into the authority delta they introduce, and sink-time validation once they execute.
This concept is especially important in coding agents, long-lived autonomous agents, and Agentic DeFi systems. In those systems, connector onboarding can create new paths from prompt-to-sink, expand persistence risk, or increase direct financial blast radius.
Related Terms
Agentic Supply Chain
The full graph of third-party tools, connectors, data sources, and runtime dependencies that an AI agent loads at runtime — the attack surface OWASP ASI04 covers.
Tool Descriptor
The metadata an MCP server provides to describe a tool — its name, description, parameter schema, and usage notes — that an AI agent reads when deciding which tool to call.
Prompt-to-Sink
The end-to-end path from attacker-influenced prompt or context input to the final execution sink where the AI system can cause a real side effect.
Sink-Time Validation
Independent validation at the execution sink on the exact action, destination, and parameters an AI system is about to trigger.
Trojanised Connector
An MCP server, plugin, or tool integration replaced with a malicious version — typically through package-registry impersonation, maintainer-account compromise, or a poisoned build pipeline.
Need expert guidance on Authority-Bearing Connector?
Our team at Zealynx has deep expertise in blockchain security and DeFi protocols. Whether you need an audit or consultation, we're here to help.
Get a Quote