Google Workspace (No Cloud Console)
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: google-workspace-mcp Version: 1.0.0 The skill is classified as suspicious due to its broad access to Google Workspace data and its reliance on executing an external npm package (`@presto-ai/google-workspace-mcp`) via `npm install -g` and `npx`, which introduces a supply chain risk. While the capabilities like downloading files (`drive.downloadFile`, `gmail.downloadAttachment`) and sending emails/messages are plausibly needed for a comprehensive Google Workspace integration, they represent significant risky capabilities. No explicit prompt injection attempts against the AI agent or other clear malicious intent are found in the `SKILL.md` or `_meta.json` files themselves.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A changed or compromised npm package version could run locally and handle the user's Google OAuth session and Workspace data.
The runnable MCP code is fetched and executed from an unpinned npm package, while the artifact set contains only SKILL.md and no package code for review.
npm install -g @presto-ai/google-workspace-mcp mcporter config add google-workspace --command "npx" --arg "-y" --arg "@presto-ai/google-workspace-mcp" --scope home
Only install after verifying the package publisher and source; prefer a pinned version and review the package before authorizing Google access.
The agent or MCP server may be able to read sensitive Google data and perform actions as the signed-in Google user, depending on granted OAuth scopes.
The skill uses persistent Google OAuth credentials for broad delegated account access, including mail, calendar, and chat actions, even though registry requirements list no primary credential.
On first use, it opens a browser for Google OAuth. Credentials stored in `~/.config/google-workspace-mcp/` ... Gmail: gmail.search, gmail.get, gmail.send ... Calendar: calendar.createEvent, calendar.updateEvent, calendar.deleteEvent ... Chat: chat.sendMessage
Review the Google consent screen carefully, use the least-privileged account possible, and revoke the OAuth grant if the skill is no longer needed.
A mistaken or over-eager agent action could send emails or chat messages, change documents, modify Gmail state, or alter calendar events.
The exposed tools include high-impact mutation and messaging operations, but the instructions do not state that the agent must ask for explicit user confirmation before using them.
docs.insertText, docs.appendText, docs.replaceText ... calendar.updateEvent, calendar.deleteEvent ... gmail.send, gmail.modify ... chat.sendMessage, chat.sendDm
Require explicit user approval before any send, delete, update, or write action, and test first with low-risk accounts or data.
Emails, documents, spreadsheets, and other Workspace content returned by tools may enter the agent session where they can be used in later reasoning.
Sensitive Google Workspace content is routed through a local MCP tool bridge, which is expected for this integration but important for users to understand.
Uses `@presto-ai/google-workspace-mcp` ... mcporter call --server google-workspace --tool "gmail.get" ... docs.getText ... sheets.getText
Avoid retrieving unnecessary sensitive content and limit use to workspaces/accounts where this data flow is acceptable.