C

BigQuery MCP Server

MCP server providing BigQuery schema inspection and query execution for LLMs

Overall Score57/100

Score Breakdown

Authentication & Identity1 finding0/25
Tool Schema Quality2 findings16/25
Permission Granularity2 findings15/20
LLM Safety15/15
Data Exposure1 finding8/10
Maintenance & Trust1 finding3/5

Server Info

Package
mcp-server-bigquery
Registry
pypi
Maintainer
Community
Category
Analytics & Data
Tags
data-warehousegooglesql
Last Scanned
7 Apr 2026

Findings

7 issues

Authentication & Identity

HIGHNo per-request auth - requires instance-per-user

Stdio-only transport. Authenticates to BigQuery via a service account key file (BIGQUERY_KEY_FILE env var or --key-file CLI arg). No MCP-level auth; any client with stdio access has full query permissions. For multi-tenant deployment, the platform must spawn a separate server instance per user.

Remediation

Add HTTP/SSE transport to accept per-request Authorization headers, or implement the MCP OAuth spec.

Tool Schema Quality

MEDIUMOnly 0 of 3 schemas have parameter constraints

Most schemas lack maxLength, enum, or pattern constraints on string parameters.

Remediation

Add constraints to string parameters, especially on write operations.

CRITICALDangerous execution surface: execute-query: accepts arbitrary SQL string with no validation, constraints, or maxLength

Tool allows raw code/query execution which could be exploited via prompt injection.

Remediation

Use parameterized queries or validated command sets.

Permission Granularity

MEDIUM1 tools combine read and write operations

All 3 tools are labeled as read operations, but execute-query is effectively mixed read/write since it accepts arbitrary SQL with no enforcement of SELECT-only. There is no separate write tool that could be disabled independently. The tool description says 'SELECT query' but the implementation passes the query string directly to BigQuery with no validation.

Remediation

Split into separate read and write tools.

LOWTool descriptions lack resource scope

Descriptions don't specify what data types or resources they access.

Remediation

Add resource type statements to descriptions.

Data Exposure

LOWNo field selection on responses

Responses return full records rather than projected fields.

Remediation

Implement field selection to return only relevant fields.

Maintenance & Trust

LOWCommunity-maintained by Lucas Hild

No official vendor backing.

Remediation

Seek vendor verification.

Tools

3 total
NameDescriptionRisk
execute-queryExecute a SELECT query on the BigQuery databaseread
list-tablesList all tables in the BigQuery databaseread
describe-tableGet the schema information for a specific tableread

Deploy BigQuery MCP Server securely

CompleteFlow adds per-user authentication, permission scoping, and audit logging to any MCP server out of the box.

Deploy on CompleteFlow