Gws Admin

v1.0.2

Google Workspace Admin SDK: Manage users, groups, and devices.

⭐ 0· 399·2 current·3 all-time

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for googleworkspace-bot/gws-admin.

Previewing Install & Setup.

Prompt PreviewInstall & Setup

Install the skill "Gws Admin" (googleworkspace-bot/gws-admin) from ClawHub.
Skill page: https://clawhub.ai/googleworkspace-bot/gws-admin
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Required binaries: gws
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install gws-admin

ClawHub CLI

Package manager switcher

npx clawhub@latest install gws-admin

Security Scan

VirusTotal

Suspicious

View report →

OpenClaw

Suspicious

medium confidence

ℹ

Purpose & Capability

Name/description (Google Workspace Admin) align with the documented CLI actions (users, groups, devices). Requiring a 'gws' CLI binary is reasonable if this is a wrapper for the Admin SDK. However, the skill does not declare any auth/environment variables even though admin operations require credentials; it explicitly defers auth to ../gws-shared/SKILL.md which is outside this package, creating an unexplained dependency.

Instruction Scope

SKILL.md enumerates powerful, potentially destructive admin operations (remote wipe, deprovision, delete resources) which is expected for an admin tool, but the runtime instructions instruct the agent to read/use a sibling SKILL.md for auth and to run `gws generate-skills` if missing. Those steps may create files or credentials at runtime; because this skill gives no explicit boundary or description of what files/paths will be read or written, the instruction scope is underspecified and could result in unexpected access or state changes.

✓

Install Mechanism

Instruction-only skill with no install spec or bundled code. That minimizes direct install risk (nothing will be downloaded or written by the skill itself). The higher-risk actions arise from the external 'gws' binary and the referenced shared SKILL.md, not from an installer here.

Credentials

The skill declares no required environment variables or primary credential, yet the documented operations require Google Workspace admin credentials/OAuth tokens. The fact that auth is delegated to a separate gws-shared skill but not declared here is an inconsistency: the skill should explicitly state what credentials or config it needs and where they are stored. Lack of declared credentials prevents proper review of what secrets the skill will access.

ℹ

Persistence & Privilege

The skill does not request always:true, does not claim system-wide config access, and has no declared config paths. That is appropriate. However, because instructions suggest generating shared auth/config files, installing this skill could indirectly cause persistent credentials/config to be written by the shared tooling—verify that behavior in the referenced gws-shared files before granting it access.

What to consider before installing

This skill appears to be a CLI wrapper for Google Workspace admin tasks, which legitimately requires admin credentials and will be able to perform destructive actions (delete, wipe, deprovision). Before installing: 1) Verify the provenance of the 'gws' binary (who provides it, is it signed, where is it installed?), 2) Inspect ../gws-shared/SKILL.md (or ask the author) to see exactly how authentication is handled and where credentials/tokens are stored, 3) Ensure the skill declares the required env vars or config paths and that those are limited to least privilege (a dedicated admin service account with minimal scopes), 4) Avoid enabling autonomous invocation until you confirm where credentials live and that the skill only uses them for intended API calls, and 5) If possible, test in an isolated/test Google Workspace account first. If the author cannot provide the missing auth details and provenance for the gws CLI, treat the skill as untrusted.

Like a lobster shell, security has layers — review code before you run it.

Plugin bundle (nix)

Skill pack · CLI binary · Config

SKILL.mdCLIConfig

CLI help (from plugin)

gws admin --help

Runtime requirements

Binsgws

latestvk97av01rdm9zmvqx66vnvgatc9828t4c

399downloads

0stars

3versions

Updated 6h ago

v1.0.2

MIT-0

admin (directory_v1)

PREREQUISITE: Read ../gws-shared/SKILL.md for auth, global flags, and security rules. If missing, run gws generate-skills to create it.

gws admin <resource> <method> [flags]

API Resources

asps

delete — Deletes an ASP issued by a user.
get — Gets information about an ASP issued by a user.
list — Lists the ASPs issued by a user.

channels

stop — Stops watching resources through this channel.

chromeosdevices

action — Use BatchChangeChromeOsDeviceStatus instead. Takes an action that affects a Chrome OS Device. This includes deprovisioning, disabling, and re-enabling devices. Warning: * Deprovisioning a device will stop device policy syncing and remove device-level printers. After a device is deprovisioned, it must be wiped before it can be re-enrolled.
get — Retrieves a Chrome OS device's properties.
list — Retrieves a paginated list of Chrome OS devices within an account.
moveDevicesToOu — Moves or inserts multiple Chrome OS devices to an organizational unit. You can move up to 50 devices at once.
patch — Updates a device's updatable properties, such as annotatedUser, annotatedLocation, notes, orgUnitPath, or annotatedAssetId. This method supports patch semantics.
update — Updates a device's updatable properties, such as annotatedUser, annotatedLocation, notes, orgUnitPath, or annotatedAssetId.

customer

devices — Operations on the 'devices' resource

customers

get — Retrieves a customer.
patch — Patches a customer.
update — Updates a customer.
chrome — Operations on the 'chrome' resource

domainAliases

delete — Deletes a domain Alias of the customer.
get — Retrieves a domain alias of the customer.
insert — Inserts a domain alias of the customer.
list — Lists the domain aliases of the customer.

domains

delete — Deletes a domain of the customer.
get — Retrieves a domain of the customer.
insert — Inserts a domain of the customer.
list — Lists the domains of the customer.

groups

delete — Deletes a group.
get — Retrieves a group's properties.
insert — Creates a group.
list — Retrieves all groups of a domain or of a user given a userKey (paginated).
patch — Updates a group's properties. This method supports patch semantics.
update — Updates a group's properties.
aliases — Operations on the 'aliases' resource

members

delete — Removes a member from a group.
get — Retrieves a group member's properties.
hasMember — Checks whether the given user is a member of the group. Membership can be direct or nested, but if nested, the memberKey and groupKey must be entities in the same domain or an Invalid input error is returned. To check for nested memberships that include entities outside of the group's domain, use the checkTransitiveMembership() method in the Cloud Identity Groups API.
insert — Adds a user to the specified group.
list — Retrieves a paginated list of all members in a group. This method times out after 60 minutes. For more information, see Troubleshoot error codes.
patch — Updates the membership properties of a user in the specified group. This method supports patch semantics.
update — Updates the membership of a user in the specified group.

mobiledevices

action — Takes an action that affects a mobile device. For example, remotely wiping a device.
delete — Removes a mobile device.
get — Retrieves a mobile device's properties.
list — Retrieves a paginated list of all user-owned mobile devices for an account. To retrieve a list that includes company-owned devices, use the Cloud Identity Devices API instead. This method times out after 60 minutes. For more information, see Troubleshoot error codes.

orgunits

delete — Removes an organizational unit.
get — Retrieves an organizational unit.
insert — Adds an organizational unit.
list — Retrieves a list of all organizational units for an account.
patch — Updates an organizational unit. This method supports patch semantics
update — Updates an organizational unit.

privileges

list — Retrieves a paginated list of all privileges for a customer.

resources

buildings — Operations on the 'buildings' resource
calendars — Operations on the 'calendars' resource
features — Operations on the 'features' resource

roleAssignments

delete — Deletes a role assignment.
get — Retrieves a role assignment.
insert — Creates a role assignment.
list — Retrieves a paginated list of all roleAssignments.

roles

delete — Deletes a role.
get — Retrieves a role.
insert — Creates a role.
list — Retrieves a paginated list of all the roles in a domain.
patch — Patches a role.
update — Updates a role.

schemas

delete — Deletes a schema.
get — Retrieves a schema.
insert — Creates a schema.
list — Retrieves all schemas for a customer.
patch — Patches a schema.
update — Updates a schema.

tokens

delete — Deletes all access tokens issued by a user for an application.
get — Gets information about an access token issued by a user.
list — Returns the set of tokens specified user has issued to 3rd party applications.

twoStepVerification

turnOff — Turns off 2-Step Verification for user.

users

createGuest — Create a guest user with access to a subset of Workspace capabilities. This feature is currently in Alpha. Please reach out to support if you are interested in trying this feature.
delete — Deletes a user.
get — Retrieves a user.
insert — Creates a user. Mutate calls immediately following user creation might sometimes fail as the user isn't fully created due to propagation delay in our backends. Check the error details for the "User creation is not complete" message to see if this is the case. Retrying the calls after some time can help in this case. If resolveConflictAccount is set to true, a 202 response code means that a conflicting unmanaged account exists and was invited to join the organization.
list — Retrieves a paginated list of either deleted users or all users in a domain.
makeAdmin — Makes a user a super administrator.
patch — Updates a user using patch semantics. The update method should be used instead, because it also supports patch semantics and has better performance. If you're mapping an external identity to a Google identity, use the update method instead of the patch method. This method is unable to clear fields that contain repeated objects (addresses, phones, etc). Use the update method instead.
signOut — Signs a user out of all web and device sessions and reset their sign-in cookies. User will have to sign in by authenticating again.
undelete — Undeletes a deleted user.
update — Updates a user. This method supports patch semantics, meaning that you only need to include the fields you wish to update. Fields that are not present in the request will be preserved, and fields set to null will be cleared. For repeating fields that contain arrays, individual items in the array can't be patched piecemeal; they must be supplied in the request body with the desired values for all items.
watch — Watches for changes in users list.
aliases — Operations on the 'aliases' resource
photos — Operations on the 'photos' resource

verificationCodes

generate — Generates new backup verification codes for the user.
invalidate — Invalidates the current backup verification codes for the user.
list — Returns the current set of valid backup verification codes for the specified user.

Discovering Commands

Before calling any API method, inspect it:

# Browse resources and methods
gws admin --help

# Inspect a method's required params, types, and defaults
gws schema admin.<resource>.<method>

Use gws schema output to build your --params and --json flags.

Comments

Loading comments...