Google Workspace
Read-only Gmail and Contacts access with configurable Calendar (readonly or readwrite) for OpenClaw agents
MIT-0 · Free to use, modify, and redistribute. No attribution required.
⭐ 0 · 49 · 0 current installs · 0 all-time installs
MIT-0
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
Name/description (read-only Gmail/Contacts + configurable Calendar) match the code and the declared requirements. The only required env vars are an encryption key and OAuth client credentials, which are appropriate for obtaining and storing Google API tokens. The required binary (google-workspace) is consistent with the provided Go source for a CLI.
Instruction Scope
SKILL.md directs the agent to run the google-workspace CLI and describes only Google API operations and the OAuth flow. The instructions do not ask for unrelated files, host credentials, or to send data to external endpoints beyond Google's APIs. The OAuth flow requires manual copy/paste of the authorization code (desktop flow), which is documented in the README/CLAUDE.md.
Install Mechanism
There is no install spec in the registry entry (instruction-only), but the repository includes Go source files and expects a 'google-workspace' binary on PATH. Operators will need to build or install the binary themselves (README gives build and deployment instructions). This is not a security problem by itself but is a minor packaging inconsistency to be aware of.
Credentials
The skill requires only three environment variables: GOOGLE_WORKSPACE_TOKEN_KEY, GOOGLE_CLIENT_ID, and GOOGLE_CLIENT_SECRET. These align with the stated functionality: encrypting tokens and performing OAuth. No unrelated secrets or cloud provider credentials are requested. Note: tests embed a literal test passphrase in internal/crypto/encrypt_test.go — it's for unit tests, but storing any secret-like literal in source control can be undesirable.
Persistence & Privilege
always is false and model invocation is allowed (normal). The skill persists an encrypted OAuth token to a user-scoped config directory (~/.openclaw/credentials/google-workspace/token.enc by default). The token is encrypted with the provided passphrase; storing a token locally is expected and proportional to the skill's purpose.
Assessment
This skill appears internally consistent and implements the read-only/opt-in-write model it claims. Before installing: 1) Ensure you build or install the 'google-workspace' binary (the registry entry doesn't provide an install step). 2) Provide the three env vars (GOOGLE_CLIENT_ID, GOOGLE_CLIENT_SECRET for your Google OAuth Desktop client; and a strong GOOGLE_WORKSPACE_TOKEN_KEY used to encrypt tokens). 3) Create a Google Cloud OAuth client limited to only the Gmail, Calendar and People APIs as recommended. 4) Be aware the CLI persists an encrypted refresh/access token to the instance filesystem; the encryption key is required to decrypt it — protect and rotate that key via your secret manager. 5) The repo includes a hardcoded test passphrase in a unit test — it's not used in production but you may want to audit/clean test secrets if you vendor the code. 6) If you rely on Advanced Protection, follow the documented guidance: the desktop OAuth flow may require temporary unenrollment for unverified apps. If you want higher assurance, review the internal/oauth implementation and verify the OAuth endpoints and redirect handling yourself before deployment.Like a lobster shell, security has layers — review code before you run it.
Current versionv0.2.0
Download ziplatest
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
📧 Clawdis
OSLinux
Binsgoogle-workspace
EnvGOOGLE_WORKSPACE_TOKEN_KEY, GOOGLE_CLIENT_ID, GOOGLE_CLIENT_SECRET
SKILL.md
Google Workspace Skill
Access Gmail (read-only), Google Calendar (configurable), and Google Contacts (read-only).
Important
- Gmail is strictly read-only. You cannot send, modify, or delete emails.
- Contacts is strictly read-only. You cannot create, modify, or delete contacts.
- Calendar access depends on the configured mode. Check with
google-workspace config show.
Check configuration
Before using any commands, verify what is enabled:
google-workspace config show
Gmail commands
Search messages:
google-workspace gmail search --query "from:someone@example.com" --max-results 10
Read a message by ID:
google-workspace gmail read --id MESSAGE_ID
List labels:
google-workspace gmail labels
Search or read threads:
google-workspace gmail threads --query "subject:meeting"
google-workspace gmail threads --id THREAD_ID
Calendar commands
List available calendars:
google-workspace calendar list
List upcoming events:
google-workspace calendar events --from 2026-03-29T00:00:00Z --to 2026-04-05T23:59:59Z
Get a specific event:
google-workspace calendar event --id EVENT_ID
Create an event (only if calendar mode is readwrite):
google-workspace calendar create --summary "Team sync" --start "2026-04-01T10:00:00Z" --end "2026-04-01T11:00:00Z"
Update an event (only if calendar mode is readwrite):
google-workspace calendar update --id EVENT_ID --summary "Updated title"
Delete an event (only if calendar mode is readwrite):
google-workspace calendar delete --id EVENT_ID
Contacts commands
List contacts:
google-workspace contacts list --max-results 50
Search contacts:
google-workspace contacts search --query "John"
Get a specific contact:
google-workspace contacts get --id "people/c1234567890"
Authentication status
Check if the token is valid:
google-workspace auth status
If the token has expired, ask the operator to re-authenticate by running google-workspace auth login on the host.
If authentication fails with Error 400: policy_enforced, the operator's Google account likely has Advanced Protection enabled. They will need to temporarily unenroll, complete the OAuth flow, then re-enroll. The refresh token persists across sessions.
Output format
All commands output JSON by default. Use --output text for plain text where supported.
Files
20 totalSelect a file
Select a file to preview.
Comments
Loading comments…