google-cloud-storage

Google Cloud Storage Skills

This repository contains Agent Skills for Google Cloud Storage. These skills deliver vetted GCS expertise directly into your coding agent, letting you use natural language prompts in your preferred CLI or IDE to work with your storage resources.

[!NOTE] This repository is under active development. More skills will be added over time.

[!IMPORTANT] We Want Your Feedback! Please share your thoughts with us by opening an issue on GitHub. Your input is invaluable and helps us improve the project for everyone.

Contents

• Installation
• Available Skills
• Prerequisites
• GCS Security Assessment Skill
  • Required Permissions
  • Authentication
  • Usage Examples
• Security Reminder: Agent Environment Hardening
• Support
• Contributing
• License

Installation

npx skills add gemini-cli-extensions/google-cloud-storage

From the npx install command, you can select the specific skills from this repo to install. The skills work with any compatible coding agent, including Gemini CLI, Claude Code, Codex, and Antigravity CLI.

Available Skills

• GCS Security Assessment — Assesses the security posture of Google Cloud Storage projects and buckets, identifying toxic combinations of vulnerabilities and checking SAIF compliance.

Prerequisites

Ensure you have the following:

• A Google Cloud project with the resources you want to work with.
• Google Cloud SDK (gcloud CLI): Install and initialize the gcloud CLI and ensure Application Default Credentials (ADC) are configured.
• A compatible coding agent, such as Gemini CLI, Claude Code, Codex, or Antigravity CLI.

GCS Security Assessment Skill

The GCS Security Assessment skill is grounded in Google's Secure AI Framework (SAIF). Rather than emitting isolated static alerts, it correlates real telemetry signals gathered from your project to surface toxic combinations of vulnerabilities—scenarios where individually low-risk configurations combine to create a critical exposure—and provides actionable, verified remediation.

[!TIP] For the best analysis, we highly recommend being a Storage Intelligence customer. When Storage Intelligence is enabled, the skill can query your Storage Insights datasets to perform deep, bucket-level and object-level assessments. Without it, the skill falls back to a project-level assessment only.

Required Permissions

The only hard requirement is working Application Default Credentials (see Authentication). There is no required IAM permission—any authenticated identity can run the skill, though signals it cannot read are reported as UNKNOWN.

For a complete assessment, grant the recommended read-only roles covering Storage Insights telemetry (bucket/object analysis) and project-level posture (IAM and audit config, org policies, VPC Service Controls, and Model Armor). See PERMISSIONS.md for the full permission tables and a ready-to-apply custom IAM role (gcs-security-assessment-role.yaml).

Authentication

Before running an assessment, authenticate with Google Cloud so the agent can read your project telemetry and run any remediation you approve. It is recommended to run both of the following commands:

gcloud auth login
gcloud auth application-default login

• gcloud auth application-default login is required: the skill's scripts use Application Default Credentials (ADC) to generate access tokens for GCP API calls.
• gcloud auth login allows the agent (or you) to run standard gcloud commands to explore configurations or dig deeper into specific resources beyond what the skill scripts cover.

Usage Examples

Interact with your coding agent using natural language: