GCP MCP Server
Community MCP server for Google Cloud Platform that executes arbitrary GCP code via vm.runInContext
Score Breakdown
Server Info
- Package
- gcp-mcp
- Registry
- npm
- Repository
- eniayomi/gcp-mcp
- Maintainer
- Community
- Category
- Cloud & Infrastructure
- Tags
- gcpcloudgoogle
- Last Scanned
- 7 Apr 2026
Findings
12 issuesAuthentication & Identity
HIGHNo per-request auth - requires instance-per-user
Stdio-only transport. Uses GoogleAuth with cloud-platform scope, relying on Application Default Credentials (ADC). No explicit env vars are read by the server itself; authentication is handled by the google-auth-library which reads GOOGLE_APPLICATION_CREDENTIALS or uses gcloud auth. For multi-tenant deployment, the platform must spawn a separate server instance per user.
Add HTTP/SSE transport to accept per-request Authorization headers, or implement the MCP OAuth spec.
Tool Schema Quality
MEDIUMOnly 0 of 9 schemas have parameter constraints
Most schemas lack maxLength, enum, or pattern constraints on string parameters.
Add constraints to string parameters, especially on write operations.
CRITICALDangerous execution surface: run-gcp-code
Tool allows raw code/query execution which could be exploited via prompt injection.
Use parameterized queries or validated command sets.
Permission Granularity
MEDIUM1 tools combine read and write operations
The run-gcp-code tool is a god-mode tool that can perform any GCP operation including creating, modifying, and deleting resources. It mixes read and write capabilities in a single tool with no restrictions. The select-project tool modifies server state. Dedicated read tools (billing, clusters, SQL, logs) are separate but redundant given run-gcp-code.
Split into separate read and write tools.
HIGH1 destructive operations not isolated
Admin/delete tools are mixed with regular operations and cannot be independently disabled.
Namespace admin tools separately for independent access control.
LOWTool descriptions lack resource scope
Descriptions don't specify what data types or resources they access.
Add resource type statements to descriptions.
LLM Safety
MEDIUM1 tool descriptions are too vague
Short or generic descriptions make tool selection unreliable.
Expand descriptions with specific actions, data types, and side effects.
HIGHTool descriptions contain instructional language
Descriptions include directives that could influence LLM behavior beyond tool selection.
Remove instructional language. Descriptions should be purely factual.
Data Exposure
MEDIUM4 list operations lack pagination
get-logs has pageSize parameter (default 10). list-projects, list-gke-clusters, list-sql-instances, and list-projects return all results without pagination. run-gcp-code instructs the LLM to handle pagination but that depends on generated code quality.
Add limit/offset or cursor-based pagination.
LOWNo field selection on responses
Responses return full records rather than projected fields.
Implement field selection to return only relevant fields.
Maintenance & Trust
LOWCommunity-maintained by Oluwapelumi Oluwaseyi (eniayomi)
No official vendor backing.
Seek vendor verification.
HIGH27 dependency vulnerabilities (5 critical, 8 high)
npm audit found 5 critical and 8 high severity CVEs.
Run `npm audit fix` and update vulnerable dependencies.
Tools
9 total| Name | Description | Risk |
|---|---|---|
| run-gcp-code | Run GCP code | admin |
| list-projects | List all GCP projects accessible with current credentials | read |
| select-project | Selects GCP project to use for subsequent interactions | write |
| get-billing-info | Get billing information for the current project | read |
| get-cost-forecast | Get cost forecast for the current project | read |
| get-billing-budget | Get billing budgets for the current project | read |
| list-gke-clusters | List all GKE clusters in the current project | read |
| list-sql-instances | List all Cloud SQL instances in the current project | read |
| get-logs | Get Cloud Logging entries for the current project | read |
Deploy GCP MCP Server securely
CompleteFlow adds per-user authentication, permission scoping, and audit logging to any MCP server out of the box.
Deploy on CompleteFlow