gdrive-readonly-mcp

A read-only Google Drive MCP server for Claude Desktop, written in Go. Provides secure, read-only access to Google Drive files, Google Docs, and Google Sheets through the Model Context Protocol.

• List files -- Browse files in Google Drive with optional name filtering and folder scoping
• Search files -- Full-text and name search across your entire Drive
• File metadata -- Retrieve detailed metadata for any file by ID
• Read files -- Extract text from Google Docs, read Google Sheets as TSV, or download text-based regular files (auto-detects type by MIME)
• Read spreadsheets -- Read specific cell ranges from Google Sheets using A1 notation (use this when you need a targeted range rather than the whole sheet)

This server is designed with security as a first principle:

• Hardcoded read-only OAuth scopes -- The server requests only drive.readonly, documents.readonly, and spreadsheets.readonly scopes. Write scopes are never used and cannot be configured.
• Token file permissions -- OAuth tokens are saved with 0600 permissions (owner read/write only).
• Query escaping -- All user input in Google Drive API queries is escaped to prevent injection.
• File ID validation -- File IDs are validated against a strict allowlist of characters before any API call.
• Download size cap -- Non-Google file downloads are capped at 1 MB to prevent memory exhaustion.
• Binary file rejection -- Only text-based MIME types are served; binary files return a clear error.
• CSRF protection -- The OAuth callback flow uses a cryptographically random state parameter.
• API call timeouts -- Every Google API call is wrapped with a 30-second context timeout, preventing a hung upstream call from stalling the MCP server indefinitely.
• Rate limiting -- Google API calls are rate-limited to 5 requests per second with a burst allowance of 10, preventing LLM retry loops from exhausting Google A