safe-gcloud-usage
Using gcloud Safely with safe-gcloud
Overview
Direct gcloud commands are blocked in this environment. All Google Cloud CLI operations must go through the safe-gcloud wrapper script, which enforces a project-specific allowlist of permitted commands.
How to Run gcloud Commands
Execute gcloud commands through the safe-gcloud wrapper script:
bash ${CLAUDE_PLUGIN_ROOT}/skills/safe-gcloud-usage/scripts/safe-gcloud.sh <command> [args...]
Examples:
bash ${CLAUDE_PLUGIN_ROOT}/skills/safe-gcloud-usage/scripts/safe-gcloud.sh projects list --format=json
bash ${CLAUDE_PLUGIN_ROOT}/skills/safe-gcloud-usage/scripts/safe-gcloud.sh config get-value project
bash ${CLAUDE_PLUGIN_ROOT}/skills/safe-gcloud-usage/scripts/safe-gcloud.sh auth list
The wrapper passes all arguments, flags, and piped input directly to gcloud for permitted commands.
Allowlist Configuration
Each project defines permitted commands in .claude/gcloud-allowlist.json. This file contains a JSON array of command patterns.
Pattern Syntax
| Pattern | Matches | Does Not Match |
|---|---|---|
projects list |
Exactly gcloud projects list |
gcloud projects list --format=json |
projects list:* |
gcloud projects list with any args/flags |
gcloud projects describe |
projects:* |
Any gcloud projects subcommand |
gcloud compute instances list |
Example Allowlist
[
"projects list:*",
"config get-value:*",
"auth list",
"compute instances list:*",
"compute instances describe:*"
]
Critical Restrictions
NEVER attempt to edit .claude/gcloud-allowlist.json. This file is under user control only. When a command is blocked due to missing permissions:
- Inform the user which command was blocked
- Suggest the pattern they could add to permit it
- Wait for the user to update the allowlist themselves
When Commands Are Blocked
If safe-gcloud blocks a command, it provides:
- The exact command that was attempted
- An error explaining the command is not in the allowlist
- A suggested pattern to add
Example blocked output:
ERROR: Command not permitted by allowlist.
Attempted command: gcloud compute instances list --zone=us-central1-a
The allowlist at .claude/gcloud-allowlist.json does not include a pattern that permits this command.
To allow this command, add an appropriate pattern to the allowlist.
For example, to allow this specific command with any flags:
"compute instances list:*"
Suggesting Patterns to Users
When the user asks what pattern to add, analyze the command and suggest the appropriate pattern:
- For a specific command with flags:
"<command> <subcommand>:*" - For all subcommands of a service:
"<service>:*" - For exact command only (no flags):
"<command> <subcommand>"
Example suggestions:
- User wants
gcloud run deploy: suggest"run deploy:*" - User wants all compute commands: suggest
"compute:*" - User wants only
gcloud auth listwith no flags: suggest"auth list"
Missing Allowlist File
If .claude/gcloud-allowlist.json does not exist, all gcloud commands are blocked. Inform the user they need to create this file with their desired patterns.
Dependencies
The safe-gcloud wrapper requires:
gcloudCLI installed and configured
More from dhughes/claude-marketplace
ci-monitor
This skill should be used when the user asks to "monitor the PR", "watch the CI", "check if CI passes", "let me know when CI finishes", "watch the checks", "monitor CI status", "tell me when the build completes", or any variation requesting to track GitHub PR check status until completion. Also use this skill proactively after creating or updating a PR when the user would benefit from knowing the CI result.
9ezcater-research
This skill should be used when the user asks to "investigate ezCater systems", "research architectural decisions", "understand code evolution", "find historical context", "analyze project history", "search internal documentation", or needs to understand why technical decisions were made at ezCater. Use this for lighter research where the user doesn't explicitly request "deep research" (which triggers the agent).
5whats-new
This skill should be used when the user asks about new features, recent changes, or updates in Claude Code — for example "what's new in Claude Code?", "Claude Code changelog", "what did I miss in Claude?", "any recent updates?", "tell me about new Claude features", or "what's changed since version 1.0.30?". It fetches the official changelog, filters for notable features (excluding bug fixes), researches each feature for deeper context on Anthropic's website, and presents mini-article summaries. Supports both automatic tracking (since last check) and explicit version queries.
5configure
Use when user asks "what statusline components are available", "list statusline components", "show statusline components", "which statusline components", "configure statusline", "enable/disable statusline components", "change statusline order", or wants to manage statusline component configuration globally or per-project
5atlassian-usage
This skill should be used when the user asks to "search jira", "find tickets", "look up an issue", "search confluence", "find pages", "read a document", "create a ticket", "update an issue", "add a comment", mentions JQL, CQL, Atlassian, Jira issues, Confluence pages, or provides an Atlassian URL (*.atlassian.net). Provides guidance for using the atl CLI to interact with Atlassian products.
5gcb-monitor
This skill should be used when the user asks about build status in GCP, Google Cloud Build, or gcloud builds. Trigger phrases include "monitor the build", "watch the build", "check build status", "build in test environment", "build in staging", "build in production", "status of the build", "gcloud builds", "Cloud Build", "GCP build", "what happened with the build", "why did the build fail", "analyze the build failure", "did the build succeed", "check the deploy", "monitor the deploy", "anything weird with the build", or when user mentions checking CI/CD status in Google Cloud. Also use when user wants to use gcloud CLI to check build results or logs. Use proactively after merging a PR when build monitoring would be helpful.
5