gmail-mcp
Provides tools for reading, searching, sending, drafting, labeling, filtering, and threading Gmail messages through the Gmail API, with scope-gated access and security safeguards.
π§ gmail-mcp
Read, search, send, draft, label, filter, and thread Gmail from any MCP-enabled AI assistant. Wraps the Gmail API with scope-gated tools and in-process safeguards.
Hardened + enhanced fork ofGongRzhe/Gmail-MCP-Server (archived 2026-03-03), via ArtyMcLabin/Gmail-MCP-Server. Since the divergence point: 130+ commits and an extensive rewrite β security hardening, Gmail-surface improvements (reply-all, send-as alias, thread-level tools, download-to-disk, recipient pairing, batch ops with retryβ¦), supply-chain hygiene, and CI gating. Every PR goes through CodeRabbit + dual-model Qodo Merge before merge. See SECURITY.md for the controls and threat model, and the comparison table below for the parent-forks delta.
A Model Context Protocol (MCP) server that lets AI assistants (Claude Desktop, Claude Code, Cursor, Continue, OpenClawβ¦) read and manage a Gmail account through scope-gated tools. Exposes the Gmail v1 API surface you actually need (messages, threads, labels, filters, attachments, drafts, reply-all) behind a single npx install.
β¨ Why this MCP?
Comparison of the three maintained forks of the original Gmail MCP server, focusing on what an agent platform actually needs β prompt-injection safety, supply-chain integrity, and operational hygiene:
Capability | GongRzhe/Gmail-MCP-Server (original, unmaintained) | ArtyMcLabin/Gmail-MCP-Server (intermediate fork) | klodr/gmail-mcp (this repo) |
Core Gmail surface | |||
Send / draft / read / search messages | β | β | β |
Label CRUD | β | β | β |
Filter CRUD | β οΈ | β fixed | β |
Batch modify / delete | β | β | β |
Reply threading ( | β orphaned replies | β | β |
Reply-all tool | β | β | β |
Send-as alias ( | β | β | β |
Thread-level tools ( | β | β | β |
Download email to disk ( | β | β | β |
Download attachment | β | β | β |
OAuth / authorization | |||
| β | β | β |
Tool list filtered by granted scopes | β | β | β |
OAuth credentials file mode | β | β | β |
Security β input handling | |||
CRLF header injection sanitization ( | β | β οΈ partial | β |
Path traversal in | β | β fixed | β |
Attachment source jail ( | β | β | β |
Download destination jail ( | β | β | β |
| β | β | β |
Post- | β | β | β |
Zod bounds on | β | β | β |
Cryptographic MIME boundary ( | β | β | β |
MCP protocol & tool surface | |||
MCP SDK version | v0.4.x | v1.27.x | v1.29.x |
Tool annotations ( | β | β | β |
| β | β | β |
Publishing / discoverability | |||
Published on npm | β stale β no future releases (repo archived) | β (consumed as a GitHub install from the intermediate fork) | β dedicated scoped package, signed releases |
Active maintenance (last 30 d) | β (archived 2026-03-03) | β οΈ sporadic | β daily review cycle (CodeRabbit + human) |
Supply-chain integrity | |||
Node.js floor | β | β | β
|
CI: CodeQL Advanced ( | β | β | β |
CI: OpenSSF Scorecard (weekly scan + badge) | β | β | β |
CI: Socket Security supply-chain alerts | β | β | β |
CI: CodeRabbit assertive reviews on every PR | β | β | β |
Release: Sigstore-signed | β | β | β |
Release: npm provenance statement | β | β | β |
Release: single-file ESM bundle | β | β | β |
Testing | |||
Unit/property tests | β (0 tests) | β οΈ (97 tests) | β (631 tests) |
Statement coverage across | 0% | 16.14% | >97% |
Fast-check property-based fuzz suite | β | β | β |
Hardening-specific test file (jails, CRLF, O_EXCL) | β | β | β |
CI/CD hardening | |||
Shell-injection-safe GitHub Actions workflows | β | β | β |
Workflows use least-privilege | β | β | β |
All GitHub Actions pinned by full commit SHA | β | β | β |
Operational | |||
| β | β | β |
| β | β | β |
klodr/gmail-mcp is the only one of the three with (a) source-path jails that make prompt-injection attachment exfiltration inert, (b) a modern supply chain (Scorecard, Socket, Sigstore), and (c) an in-repo review policy (.coderabbit.yaml) that every PR must pass before merge.
Related MCP server: mercury-invoicing-mcp
π¦ Installation
npm install -g @klodr/gmail-mcpOr directly via npx:
npx -y @klodr/gmail-mcpRequires Node.js 22+.
βοΈ Configuration
1οΈβ£ Google Cloud OAuth credentials
Open the Google Cloud Console.
Create a project and enable the Gmail API.
Under APIs & Services β Credentials, create an OAuth 2.0 Client ID (Desktop or Web). For Web, add
http://localhost:3000/oauth2callbackto the authorised redirect URIs.Download the JSON, rename it to
gcp-oauth.keys.json, place it at~/.gmail-mcp/gcp-oauth.keys.json(or override withGMAIL_OAUTH_PATH=/abs/path/gcp-oauth.keys.json).
2οΈβ£ Authenticate (once)
npx -y @klodr/gmail-mcp auth --scopes=gmail.readonlyAlways pass --scopes with the minimum you actually need β the MCP filters the tool list at startup based on the granted scopes, so a read-only token doesn't expose write tools to the LLM. A browser opens for Google's consent flow; tokens are written to ~/.gmail-mcp/credentials.json (mode 0o600).
3οΈβ£ Register the server with your MCP client
{
"mcpServers": {
"gmail": {
"command": "npx",
"args": ["-y", "@klodr/gmail-mcp"]
}
}
}Client-specific config file:
Claude Code:
~/.claude.jsonClaude Desktop:
~/Library/Application Support/Claude/claude_desktop_config.json(macOS) /%APPDATA%\Claude\claude_desktop_config.json(Windows)Cursor:
~/.cursor/mcp.jsonOpenClaw:
~/.openclaw/openclaw.json
See llms-install.md for an LLM-readable install guide.
π OAuth scopes
Scope shorthand | Full Gmail scope | What it grants |
|
| Read messages, threads, labels (filter tools require |
|
| Readonly + apply/remove labels, delete messages |
|
| Create drafts |
|
| Send messages |
|
| Manage labels only |
|
| Manage filters |
Recipes:
# Read-only browsing
npx @klodr/gmail-mcp auth --scopes=gmail.readonly
# Read + send (mailing-list bot)
npx @klodr/gmail-mcp auth --scopes=gmail.readonly,gmail.send
# Everything (default; explicit)
npx @klodr/gmail-mcp auth --scopes=gmail.modify,gmail.settings.basic
# Default + permanent delete (delete_email / batch_delete_emails)
# gmail.modify authorizes trash; mail.google.com is the only scope
# that authorizes purging from Trash. Both are listed because the
# tool gate does exact scope-name matching β a token holding only
# mail.google.com would not enable the gmail.modify-gated tools,
# even though Google's scope hierarchy would technically accept the
# same calls.
npx @klodr/gmail-mcp auth --scopes=gmail.modify,mail.google.com,gmail.settings.basicπ‘οΈ Safeguards
Knob | Env var | Default | Notes |
Attachment jail |
|
| Every attachment path ( |
Download jail |
|
|
|
OAuth keys path |
|
| Google Desktop/Web OAuth client credentials. |
Credentials path |
|
| Access/refresh tokens. File mode |
Rate limit state dir |
|
| Where the rolling call-history for rate limiting is persisted ( |
Rate limit overrides |
| see below | Override the per-bucket daily/monthly caps. Buckets: |
Rate limit disable |
| unset (limiter active) | Kill-switch for the entire limiter. Use only for test suites or controlled batch operations. |
Audit log |
| unset (no audit trail) | Opt-in append-only JSONL log of every tool call (name, redacted args, outcome). File mode |
Dry-run |
| unset (real calls) | When |
π οΈ Tools
The exact set depends on the OAuth scopes granted at auth time. Full catalog:
Messages β
send_email,draft_email,read_email,search_emails,modify_email,delete_email,download_email,download_attachment,batch_modify_emails,batch_delete_emails,reply_all,reply_to_email,forward_emailDrafts β
list_drafts,get_draft,update_draft,delete_draft,send_draft(fullusers.drafts.*surface;draft_emailabove creates the initial draft)Threads β
get_thread,list_inbox_threads,get_inbox_with_threads,modify_threadLabels β
list_email_labels,create_label,update_label,delete_label,get_or_create_labelFilters β
list_filters,get_filter,create_filter,delete_filter,create_filter_from_templateRecipient pairing β
pair_recipient(manage the~/.gmail-mcp/paired.jsonallowlist whenGMAIL_MCP_RECIPIENT_PAIRING=true)
Every write tool is annotated with destructiveHint / readOnlyHint / idempotentHint per the MCP spec so policy-aware clients can gate on HITL confirmation.
π search_emails query syntax
search_emails accepts Gmail's native search operators β from:, to:, subject:, has:attachment, after:YYYY/MM/DD, before:YYYY/MM/DD, is:unread, label:<name>, etc. They combine freely: from:alice@example.com after:2026/01/01 has:attachment. Full reference: Google's Gmail search operators cheat sheet.
πΊοΈ Roadmap
See ROADMAP.md.
π Ecosystem
Other MCP servers in the klodr family
π§ klodr/gmail-mcp β Gmail (you are here)
π klodr/faxdrop-mcp β Send real faxes via FaxDrop
π¦ klodr/mercury-invoicing-mcp β Mercury banking + invoicing
Wider Gmail-MCP landscape
29 standalone repositories and 349 forks of the original GongRzhe server are reviewed in docs/COMPETITORS.md β which ideas we borrowed, which we chose not to, and where klodr/gmail-mcp sits on the maturity axes.
π€ Contributing
See CONTRIBUTING.md for the test / build / lint checklist and release process.
π Security
See SECURITY.md for the vulnerability-reporting process and the current security model, and ASSURANCE_CASE.md for the threat model, trust boundaries, and CWE/OWASP mitigation table.
π Project continuity
See CONTINUITY.md for the handover plan if the maintainer becomes unavailable.
π License
MIT β see LICENSE.
π History
klodr/gmail-mcp is the maintenance fork of a two-step upstream chain:
GongRzhe/Gmail-MCP-Server β the original server. Unmaintained since August 2025 (7+ months with zero maintainer activity and 72+ unmerged pull requests).
ArtyMcLabin/Gmail-MCP-Server β Arty MacKiewicz's active fork, which merged a pile of long-pending community PRs: reply threading (#91), reply-all (#3 by @MaxGhenis),
list_filtersfix (#4 by @nicholas-anthony-ai),--scopesflag (#6 by @tansanDOTeth), CI/CD hardening (#9) + security hardening (#10) + dependency CVE fixes (#11) by @JF10R, tool annotations (#14 by @bryankthompson),download_email(#13 by @icanhasjonas).
klodr/gmail-mcp carries all of the above forward and adds the supply-chain / path-jail / review-policy layer (see comparison table above). Credit to every PR author along the chain.
Maintenance
Latest Blog Posts
MCP directory API
We provide all the information about MCP servers via our MCP API.
curl -X GET 'https://glama.ai/api/mcp/v1/servers/klodr/gmail-mcp'
If you have feedback or need assistance with the MCP directory API, please join our Discord server