Google Workspace CLI (gog)
ReviewAudited by ClawScan on May 10, 2026.
Overview
This is a coherent Google Workspace CLI skill, but it uses broad OAuth access and can perform high-impact actions like sending email or editing Sheets.
This skill appears usable for its stated purpose if you trust the gog CLI. Before installing or authorizing it, confirm the source of the binary, review the OAuth scopes, and require explicit approval for any action that sends email, creates calendar events, or changes Sheets, Docs, Drive, or Contacts data.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Once authorized, the agent may be able to access or act on Gmail, Calendar, Drive, Contacts, Sheets, and Docs data allowed by the OAuth scopes.
The skill asks the user to authorize a Google account across multiple Workspace services. This is expected for the stated purpose, but it grants broad delegated account access.
`gog auth add you@gmail.com --services gmail,calendar,drive,contacts,sheets,docs`
Use a dedicated or least-privileged Google account where possible, review OAuth scopes during setup, and revoke the gog authorization when it is no longer needed.
A mistaken or overly broad command could send an unintended email or alter spreadsheet data.
The skill exposes high-impact commands that can send messages and modify or clear spreadsheet data. These commands are disclosed and purpose-aligned, but they should be used only with explicit user intent.
`gog gmail send ...`; `gog sheets update ...`; `gog sheets append ...`; `gog sheets clear <sheetId> "Tab!A2:Z"`; `For scripting, prefer --json plus --no-input.`
Require explicit confirmation before all write, send, append, clear, copy, or create operations; avoid non-interactive `--no-input` usage for destructive actions unless the user has approved the exact target and change.
The security of the skill in practice depends on the installed gog CLI and its update source.
The skill depends on an external `gog` binary installed from a Homebrew tap, and no CLI code is included in the scanned artifact. This is normal for an instruction-only CLI skill but means the external tool's behavior was not reviewed here.
`requires:{"bins":["gog"],"install":[{"id":"brew","kind":"brew","formula":"steipete/tap/gogcli","bins":["gog"]}]}`Install gog only from a trusted source, verify the project/homepage, and keep the CLI updated through a trusted package manager.