gogcli - Google Workspace CLI
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This is a coherent Google Workspace CLI guide, but it relies on external installation and Google OAuth access that users should scope and verify.
Before installing, verify the gogcli source or brew tap, authorize only the Google APIs you actually need, protect ~/.config/gog/, and require explicit confirmation before sending emails, uploading files, or creating account data.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
64/64 vendors flagged this skill as clean.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If authorized broadly, the CLI can access sensitive Google account data such as email, Drive files, calendars, contacts, and tasks.
The skill requires Google OAuth authorization and stores credentials locally, giving the CLI access to the enabled Google Workspace APIs.
Before using gogcli, set up OAuth credentials... Enable APIs you need... ./bin/gog auth add you@gmail.com ~/Downloads/client_secret_....json ... Credentials stored in `~/.config/gog/`
Authorize only the minimum Google APIs/scopes needed, protect the local credential directory, and revoke the OAuth grant when it is no longer needed.
Mistaken or overly broad use could send an email, upload a file, create a calendar event, or add tasks under the user's account.
The documented CLI capabilities include actions that modify or send data in the user's Google account.
./bin/gog gmail send 'recipient@gmail.com' --subject 'Hello' --body 'Message' ... ./bin/gog calendar events create 'Meeting' ... ./bin/gog drive upload ~/Documents/file.pdf ... ./bin/gog tasks add
Use these write commands only after confirming the recipient, file path, account, and content with the user.
Users would be running code that is not included in the submitted skill artifacts and that will handle Google account credentials.
The setup instructions depend on external, unpinned install/build sources and optionally a privileged install command.
brew install steipete/tap/gogcli ... git clone https://github.com/steipete/gogcli.git ... make ... sudo make install
Verify the repository or brew tap, prefer pinned releases or checksums where available, inspect the project before granting OAuth access, and avoid sudo unless necessary.