Google Workspace Admin
ReviewAudited by ClawScan on May 1, 2026.
Overview
This is a clearly disclosed but powerful Google Workspace admin integration that should only be used with trusted Maton access, least-privileged OAuth scopes, and careful approval of writes.
Before installing, confirm you trust Maton as the API/OAuth gateway, use a least-privileged Google admin account, restrict OAuth scopes to the resources needed, always verify the exact write operation before approving it, and delete or revoke the connection when finished.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If approved, the agent could change important Google Workspace account resources such as users, groups, organizational units, roles, or domain settings.
The skill exposes high-impact administrative write operations, but it also discloses the impact and requires explicit approval before POST, PUT, PATCH, or DELETE calls.
This is a write-capable administrative integration for users, groups, organizational units, roles, and domain settings. ... All write operations require explicit user approval showing the exact HTTP method, endpoint path, and target resource identifier before execution.
Use read-only checks first, approve writes only after verifying the exact method, endpoint, and target, and avoid broad or bulk changes unless intentionally requested.
A broadly scoped or highly privileged admin connection could let the agent perform significant Google Workspace administrative actions.
The skill depends on a Maton API key and delegated Google admin OAuth authority. This is expected for the stated purpose, but it grants sensitive account-level permissions.
All requests require the Maton API key in the Authorization header: Authorization: Bearer $MATON_API_KEY ... Only connect with a least-privileged Google admin account, restrict OAuth scopes to the resources needed for the task, and revoke the connection when administrative work is complete.
Use a least-privileged Google admin account, limit OAuth scopes to the task, specify the intended connection, and revoke the connection after use.
Google Workspace administrative data and actions are mediated by a third-party gateway, and using the wrong connection could target the wrong Workspace account.
Administrative API requests and OAuth-mediated access pass through the Maton gateway, and connection selection depends on using the correct header when multiple accounts exist.
The gateway proxies requests to `admin.googleapis.com` and automatically injects your OAuth token. ... If you have multiple Google Workspace Admin connections, specify which one to use with the `Maton-Connection` header.
Install only if you trust Maton for this OAuth gateway role, always include the correct Maton-Connection header when multiple connections exist, and keep connection/session URLs private.