Allows reading emails and creating drafts within Gmail while preventing data exfiltration by disabling email sending.
Provides a security-hardened suite of integrations for Google Workspace services including Gmail, Drive, Docs, Sheets, Calendar, Forms, and Slides.
Provides capabilities to view existing calendar events and create new ones.
Uses Google Cloud OAuth credentials to securely authenticate and access Google Workspace data with tokens stored in macOS Keychain.
Provides tools to read and edit content within Google Docs documents.
Enables reading and creating files in Google Drive while restricting external sharing capabilities for enhanced security.
Allows for reading and creating Google Forms.
Enables reading from and writing data to Google Sheets spreadsheets.
Enables reading and editing Google Slides presentations.
Click on "Install Server".
Wait a few minutes for the server to deploy. Once ready, it will show a "Started" state.
In the chat, type
@followed by the MCP server name and your instructions, e.g., "@Hardened Google Workspace MCPsummarize the 'Q4 Planning' doc and list the action items"
That's it! The server will respond to your query, and you can continue using it as needed.
Here is a step-by-step guide with screenshots.
Hardened Google Workspace MCP
A security-hardened Google Workspace integration for Claude Code.
This is a fork of taylorwilsdon/google_workspace_mcp with dangerous operations removed to prevent data exfiltration via prompt injection attacks. See SECURITY.md for details.
What This Does
Enables Claude Code to interact with your Google Workspace:
Gmail: Read emails, create drafts (cannot send)
Google Drive: Read/create files (cannot share externally)
Google Docs: Read and edit documents
Google Sheets: Read and write spreadsheets
Google Calendar: View and create events (cannot add attendees)
Google Forms: Read and create forms
Google Slides: Read and edit presentations
Why "Hardened"?
LLMs are vulnerable to prompt injection attacks—malicious instructions hidden in content the model processes. An attacker could embed instructions in an email or document that trick the AI into exfiltrating sensitive data.
This fork removes all tools that could send data outside your account:
No email sending - Claude can draft emails, but you must manually send them from Gmail
No file sharing - Claude cannot share files with external users
No filter creation - Claude cannot create auto-forwarding rules
No event attendees - Claude cannot add attendees to calendar events (invitations could exfiltrate data)
Secure credential storage - OAuth tokens stored in macOS Keychain, not plaintext files
⚠️ This Reduces Risk, It Does NOT Eliminate It
Important: This hardening only affects the Google Workspace tools. Claude Code has access to many other tools that could be used for data exfiltration (web requests, file writes, code execution, other MCP servers).
You must stay vigilant:
Always review tool calls before approving them
Never disable permission prompts
Be suspicious of unexpected web requests or file operations
Monitor Claude's behavior when processing external content
See SECURITY.md for the complete security model and additional risks.
Prerequisites
Claude Code installed on your machine
A Google Workspace or personal Google account
Python 3.11+ installed
Quick Start
Step 1: Create OAuth Credentials
Follow OAUTH_SETUP.md to create Google Cloud OAuth credentials.
Step 2: Install Dependencies
Note: If you don't have
uvinstalled, run:curl -LsSf https://astral.sh/uv/install.sh | sh
Step 3: Configure Claude Code
Add the MCP server using claude mcp add:
Replace YOUR_CLIENT_ID and YOUR_CLIENT_SECRET with your OAuth credentials.
Or manually add to ~/.claude/mcp_config.json:
Step 4: Authorize with Google
Start (or restart) Claude Code
The first time you use a Google Workspace tool, a browser window will open
Sign in with your Google account
Click "Allow" to grant permissions
For detailed instructions, see SETUP.md.
Example Prompts
Once set up, try these prompts in Claude Code:
Troubleshooting
"OAuth credentials not found"
Make sure you've set the GOOGLE_OAUTH_CLIENT_ID and GOOGLE_OAUTH_CLIENT_SECRET environment variables in your MCP config.
"Permission denied" errors
Delete the credentials folder:
rm -rf ~/.credentials/workspace-mcp/Restart Claude Code
Re-authorize with your Google account
"Tool not found" errors
Make sure the MCP server is running. Check Claude Code's MCP status panel.
Browser doesn't open for authorization
If the browser doesn't open automatically, check the Claude Code output for a URL to copy/paste manually.
Security Notes
Never disable permission prompts - Always review what Claude is asking to do
Drafts require manual sending - Claude can create email drafts, but you must open Gmail to send them
No external sharing - Claude cannot share files outside your organization
Report issues - If Claude behaves unexpectedly, file an issue
⚠️ Remaining Risks
While this fork removes obvious exfiltration vectors, data leakage is still possible:
Shared folder creation - Creating documents in folders already shared with external parties
Attacker-owned documents - Editing documents that an attacker has shared with you
Jailbreak with API access - A jailbroken Claude could potentially write code to directly call Google APIs
Best practices:
Review document creation/editing operations carefully
Be suspicious of recently shared external documents
Monitor your Google Drive activity after Claude sessions
Consider using a dedicated Google account for sensitive work
See SECURITY.md for comprehensive security documentation and mitigation strategies.
Support
For issues with this project, please file an issue on GitHub.
Based on