This skill should be used when the user asks to "run a gcloud command", "use gcloud", "access Google Cloud", "list GCP projects", "check gcloud config", or any task involving the Google Cloud CLI. Also use when Claude needs to suggest patterns for the gcloud allowlist or explain why a gcloud command was blocked. Use this skill immediately when you see "Direct gcloud commands are blocked" or "Use the safe-gcloud wrapper instead" in an error message.
From safe-gcloudnpx claudepluginhub dhughes/claude-marketplace --plugin safe-gcloudThis skill uses the workspace's default tool permissions.
scripts/safe-gcloud.shImplements structured self-debugging workflow for AI agent failures: capture errors, diagnose patterns like loops or context overflow, apply contained recoveries, and generate introspection reports.
Designs and optimizes AI agent action spaces, tool definitions, observation formats, error recovery, and context for higher task completion rates.
Compares coding agents like Claude Code and Aider on custom YAML-defined codebase tasks using git worktrees, measuring pass rate, cost, time, and consistency.
Direct gcloud commands are blocked in this environment. All Google Cloud CLI operations must go through the safe-gcloud wrapper script, which enforces a project-specific allowlist of permitted commands.
Execute gcloud commands through the safe-gcloud wrapper script:
bash ${CLAUDE_PLUGIN_ROOT}/skills/safe-gcloud-usage/scripts/safe-gcloud.sh <command> [args...]
Examples:
bash ${CLAUDE_PLUGIN_ROOT}/skills/safe-gcloud-usage/scripts/safe-gcloud.sh projects list --format=json
bash ${CLAUDE_PLUGIN_ROOT}/skills/safe-gcloud-usage/scripts/safe-gcloud.sh config get-value project
bash ${CLAUDE_PLUGIN_ROOT}/skills/safe-gcloud-usage/scripts/safe-gcloud.sh auth list
The wrapper passes all arguments, flags, and piped input directly to gcloud for permitted commands.
Each project defines permitted commands in .claude/gcloud-allowlist.json. This file contains a JSON array of command patterns.
| Pattern | Matches | Does Not Match |
|---|---|---|
projects list | Exactly gcloud projects list | gcloud projects list --format=json |
projects list:* | gcloud projects list with any args/flags | gcloud projects describe |
projects:* | Any gcloud projects subcommand | gcloud compute instances list |
[
"projects list:*",
"config get-value:*",
"auth list",
"compute instances list:*",
"compute instances describe:*"
]
NEVER attempt to edit .claude/gcloud-allowlist.json. This file is under user control only. When a command is blocked due to missing permissions:
If safe-gcloud blocks a command, it provides:
Example blocked output:
ERROR: Command not permitted by allowlist.
Attempted command: gcloud compute instances list --zone=us-central1-a
The allowlist at .claude/gcloud-allowlist.json does not include a pattern that permits this command.
To allow this command, add an appropriate pattern to the allowlist.
For example, to allow this specific command with any flags:
"compute instances list:*"
When the user asks what pattern to add, analyze the command and suggest the appropriate pattern:
"<command> <subcommand>:*""<service>:*""<command> <subcommand>"Example suggestions:
gcloud run deploy: suggest "run deploy:*""compute:*"gcloud auth list with no flags: suggest "auth list"If .claude/gcloud-allowlist.json does not exist, all gcloud commands are blocked. Inform the user they need to create this file with their desired patterns.
The safe-gcloud wrapper requires:
gcloud CLI installed and configured