ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Google Drive

v1.0.2

Access Google Drive from OpenClaw using either GOOGLE_SERVICE_ACCOUNT_KEY service-account JSON or a GOOGLE_OAUTH_REFRESH_TOKEN from the Google Drive OAuth co...

0· 342·0 current·0 all-time
by@jack-piplabs

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for jack-piplabs/google-drive-service-account.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "Google Drive" (jack-piplabs/google-drive-service-account) from ClawHub.
Skill page: https://clawhub.ai/jack-piplabs/google-drive-service-account
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Required env vars: GOOGLE_SERVICE_ACCOUNT_KEY, GOOGLE_OAUTH_REFRESH_TOKEN, GOOGLE_CLIENT_ID, GOOGLE_CLIENT_SECRET
Required binaries: python3, openssl
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install google-drive-service-account

ClawHub CLI

Package manager switcher

npx clawhub@latest install google-drive-service-account
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The script and SKILL.md implement Google Drive operations (search, list, download, upload, export) and require python3/openssl — these are coherent with the stated purpose. However, the registry metadata declares all four environment variables as required even though the skill's own documentation and code say it uses EITHER a service account JSON OR an OAuth refresh token; that mismatch is disproportionate.
Instruction Scope
SKILL.md instructs only Drive-related commands (whoami, search, ls, info, download/export/cat, mkdir, upload). The runtime instructions and examples use only Google Drive endpoints and the declared env vars; there is no instruction to read unrelated system files or contact unexpected endpoints.
Install Mechanism
Install spec only offers a Homebrew formula to install python (formula: python). That's an ordinary way to ensure python3 on macOS but is not cross-platform; there is no remote download or execution of arbitrary code. If running on non-mac systems, the install step is inapplicable and the skill expects python3 to already be present.
!
Credentials
The skill's metadata lists GOOGLE_SERVICE_ACCOUNT_KEY, GOOGLE_OAUTH_REFRESH_TOKEN, GOOGLE_CLIENT_ID, and GOOGLE_CLIENT_SECRET as required env vars and designates the refresh token as primary. In practice the code uses either a service-account key OR an OAuth refresh token (plus client id/secret only when exchanging a refresh token). Requiring all four is disproportionate and forces users to provide credentials they may not need. The skill will have full Drive access for whichever credential you supply, so granting these values to the agent is sensitive.
Persistence & Privilege
always is false and the skill is user-invocable; it does not request permanent agent inclusion or cross-skill configuration changes. The agent can invoke the skill autonomously by default (platform normal), but no extra privileges are requested.
What to consider before installing
This skill implements a reasonable Google Drive helper, but review the following before installing: (1) The metadata incorrectly marks all four env vars as required; you only need to provide either a service account key OR an OAuth refresh token (and client_id/secret only for token refresh). Do not upload or paste credentials you don't need. (2) The script writes your service-account private key to a temporary file and calls openssl to sign JWTs — ensure you run it on a trusted host and that the provided key has least privilege. (3) The install step only lists Homebrew/python; on non-mac systems ensure python3 and openssl are available from trusted OS packages. (4) Because the skill can use whichever credentials you give it to access Drive, treat the provided tokens/keys as highly sensitive and consider testing in a restricted environment or reviewing the script fully before supplying secrets. If you are uncomfortable giving broad Drive access, do not install or restrict the credentials to a low-privilege Drive account.

Like a lobster shell, security has layers — review code before you run it.

Runtime requirements

🗂️ Clawdis
Binspython3, openssl
EnvGOOGLE_SERVICE_ACCOUNT_KEY, GOOGLE_OAUTH_REFRESH_TOKEN, GOOGLE_CLIENT_ID, GOOGLE_CLIENT_SECRET
Primary envGOOGLE_OAUTH_REFRESH_TOKEN

Install

Install Python (brew)
Bins: python3
brew install python
latestvk9773nqmxn4fczk3e0p0h4qybn836gzp
342downloads
0stars
3versions
Updated 3h ago
v1.0.2
MIT-0
@jack-piplabs
latest
Download

Google Drive

Use this skill when Google Drive access is available through either:

  • GOOGLE_SERVICE_ACCOUNT_KEY for service-account auth
  • GOOGLE_OAUTH_REFRESH_TOKEN for the dashboard Google Drive OAuth connector

OAuth mode also needs GOOGLE_CLIENT_ID and GOOGLE_CLIENT_SECRET so the refresh token can be exchanged for an access token.

This skill is for:

  • Searching Drive files and folders
  • Listing folder contents
  • Inspecting file metadata
  • Downloading binary files
  • Exporting Google Docs, Sheets, and Slides to standard formats
  • Uploading files or creating folders

Important behavior:

  • The script prefers GOOGLE_OAUTH_REFRESH_TOKEN when present, then falls back to GOOGLE_SERVICE_ACCOUNT_KEY.
  • A service account only sees files it owns, files explicitly shared with the service account email, or a delegated user's Drive when domain-wide delegation is configured.
  • If your workspace uses domain-wide delegation, set GOOGLE_DRIVE_SUBJECT=user@company.com or pass --subject user@company.com.
  • For automation and tool use, prefer --json.

Quick Start

Check access:

python3 {baseDir}/scripts/gdrive_sa.py whoami

Search files:

python3 {baseDir}/scripts/gdrive_sa.py search "name contains 'Q1'" --limit 10
python3 {baseDir}/scripts/gdrive_sa.py search "'root' in parents" --limit 25 --json

List a folder:

python3 {baseDir}/scripts/gdrive_sa.py ls root --limit 50
python3 {baseDir}/scripts/gdrive_sa.py ls <folderId> --json

Inspect metadata:

python3 {baseDir}/scripts/gdrive_sa.py info <fileId>

Download or export:

python3 {baseDir}/scripts/gdrive_sa.py download <fileId> --out /tmp/file.bin
python3 {baseDir}/scripts/gdrive_sa.py export <fileId> --mime text/plain --out /tmp/doc.txt
python3 {baseDir}/scripts/gdrive_sa.py cat <fileId> --mime text/plain

Create folders and upload files:

python3 {baseDir}/scripts/gdrive_sa.py mkdir "Reports" --parent root
python3 {baseDir}/scripts/gdrive_sa.py upload ./report.pdf --parent <folderId>
python3 {baseDir}/scripts/gdrive_sa.py upload ./notes.txt --name "meeting-notes.txt" --parent root

Query Tips

Drive search uses the standard Drive query syntax in the q parameter. Useful examples:

  • name contains 'invoice'
  • mimeType = 'application/vnd.google-apps.folder'
  • 'root' in parents
  • trashed = false
  • modifiedTime > '2026-01-01T00:00:00Z'

Combined example:

python3 {baseDir}/scripts/gdrive_sa.py search "trashed = false and name contains 'roadmap'" --limit 20 --json

Google Workspace Export MIME Types

Common export choices for Google-native files:

  • Docs to plain text: text/plain
  • Docs to PDF: application/pdf
  • Docs to Word: application/vnd.openxmlformats-officedocument.wordprocessingml.document
  • Sheets to CSV: text/csv
  • Sheets to XLSX: application/vnd.openxmlformats-officedocument.spreadsheetml.sheet
  • Slides to PDF: application/pdf

Example:

python3 {baseDir}/scripts/gdrive_sa.py export <sheetId> --mime text/csv --out /tmp/sheet.csv

Notes

  • The script automatically enables supportsAllDrives=true and includeItemsFromAllDrives=true.
  • OAuth-connected agents act as the connected end user, not as a service account.
  • root refers to the visible root for the authenticated principal.
  • Use cat only for text-friendly outputs. Use download or export --out for binary files.
  • Confirm before uploading or creating folders in shared team drives.

Comments

Loading comments...