Many agent demos look simple: give the model tools, put a GitHub/Gmail/Slack token in an environment variable, and let the agent call APIs.
That works for demos. It gets uncomfortable in products.
The hard questions are not only "can the agent call the API?" They are:
- Which user's account is this action using?
- Which scopes were granted?
- Can the agent call only safe actions?
- Are run logs exposing sensitive inputs or provider responses?
- Is the schema the same across MCP, HTTP, SDK, CLI, and docs?
- What happens when the user disconnects, rotates credentials, or switches accounts?
That is why oomol-lab/open-connector
is worth a look.
Project: https://github.com/oomol-lab/open-connector