Is Google Drive MCP server safe?

@modelcontextprotocol/server-gdrive is an AI npm_package analyzed by SkillTotal's deterministic static scanner. The scan found no malicious indicators, though 1 risky construct are reported for review. It can: install time execution — capabilities are what the code can do, not a verdict on intent. Risk score 0/100 (low).

@modelcontextprotocol/server-gdrive 2025.1.14

npm_package · npm:@modelcontextprotocol/server-gdrive

LOW

/ 100 malicious-risk

Snapshot · scanned Jun 20, 2026 · @modelcontextprotocol/server-gdrive@2025.1.14 · engine 0.18.0 / ruleset 19

No malicious indicators - review capabilities before installing

Notable — review in context (capabilities are not malware):

npm prepare hook

No malicious indicators found by static analysis.

Capabilities — what this component can do (not a risk score):

install time execution

Findings (1)

MEDIUMnpm prepare hookST-INSTALL-NPM-PREPARE

package.json has a 'prepare' script (runs on git/local installs and before publishing).

package.json:18-18

"prepare": "npm run build",

Why it matters: Usually a build step, but confirm it doesn't fetch or run remote code.

Fix: Usually a legitimate build step; confirm it only builds and does not fetch or execute remote code.

Check your own component

Run the same evidence-backed scan on any MCP server, agent skill, or package.

Scan your own component

Or get notified if this component's risk changes:

How we determine this: deterministic static analysis (regex + AST), evidence-anchored, no code execution. Methodology →