Tmp.Bz973yI9Y0
ReviewAudited by ClawScan on May 12, 2026.
Overview
This is a disclosed Google Docs helper that uses an authenticated Google account and external MCP/npm tooling; it appears purpose-aligned, but it can edit, delete, comment on, and export documents.
Before installing, make sure you trust the gogcli and gogcli-mcp-docs packages, configure the intended Google account, and carefully review requests that edit, delete, or export document content.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent may be able to change or remove Google Docs content or comments when using this skill.
The skill exposes document mutation and deletion tools. These are directly related to the stated Google Docs editing purpose, but mistakes or ambiguous user requests could alter user documents.
`gog_docs_delete` | Delete content by character index range ... `gog_docs_sed` | Stream-edit with sed-like regex ... `gog_docs_comments_delete` | Delete a comment
Review the target document, ranges, and replacement text before approving destructive or broad edits.
Actions may be performed under the configured Google account and could affect documents that account can access.
The skill expects access to an authenticated Google account. That is expected for Google Docs operations, but it gives the tool delegated authority over documents available to that account.
- [gogcli](https://github.com/steipete/gogcli) installed and authenticated ... "GOG_ACCOUNT": "you@gmail.com"
Use an account with only the needed access, verify the configured account, and revoke or limit authorization when no longer needed.
Installing or running the MCP server executes third-party package code in the user's environment, potentially with access to the configured Google account integration.
The setup runs an external npm package as the MCP server. That is a normal installation pattern for this kind of skill, but the package code is not included in the provided artifacts.
"command": "npx", "args": ["-y", "gogcli-mcp-docs"]
Install only from trusted sources, consider pinning a known version, and review the npm package or linked repository before use.
Sensitive document contents or comments may be processed by the configured local MCP integration when the agent reads, edits, comments on, or exports Docs.
The skill routes Google Docs operations through an MCP server. This is expected for the integration, but document content and comments may pass through the MCP package/gogcli boundary.
Extended Google Docs MCP server via [gogcli] ... "mcpServers": { "gogcli-docs": { "command": "npx"Use this only with a trusted MCP server and be mindful when opening or exporting sensitive documents.