The Read-Only-First Rule for Connectors

You connect Cowork to your email. The setup screen lists what it's asking for: read your messages, send messages on your behalf, manage your drafts and labels. You're in a hurry, so you grant all of it and move on.

Two weeks later, something moves that you didn't move. A thread you meant to keep gets archived. A half-written draft goes out a day early. Nothing catastrophic, but you didn't do it, and for a second you can't tell what did.

Cowork did exactly what you authorized. The connector worked perfectly.

The problem was the grant. You handed over write access on day one, before you'd watched the workflow run even once. The fix is a rule you apply at connection time: read-only first.

#Read tools and write tools are not the same thing

When you connect a service, Cowork doesn't get one undifferentiated blob of "access." It gets a set of specific actions, and those split cleanly into two kinds.

Read actions look at things. Fetch a message, search a folder, list your events, pull a document. They observe; they change nothing.

Write actions change things. Send, reply, archive, delete, move, rename, create, update. They reach back into the system and alter it.