Google Docs
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: google-docs-operator Version: 1.0.0 The skill bundle provides a legitimate integration for Google Docs via the Maton.ai API gateway, allowing for document creation, editing, and export. The Python driver (gdocs_driver.py) and agent instructions (SKILL.md) are well-documented, use standard libraries (requests, urllib), and perform actions strictly aligned with the stated purpose without any evidence of malicious intent, data exfiltration, or harmful prompt injection.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A mistaken or overly broad instruction could replace or remove content in a Google Doc the connected account can edit.
The CLI can overwrite a Google Doc by deleting existing content and inserting new text. This matches the skill's stated editing purpose, but it is a high-impact action if used on the wrong document.
cmd_write(args): """覆盖全文内容(先删除再写入)。""" ... "deleteContentRange": {"range": {"startIndex": 1, "endIndex": end_index - 1}}Confirm the document ID and requested edit before using overwrite, replace-all, or formatting commands; keep backups or rely on Google Docs version history for recovery.
Anyone or any agent process with the Maton API key may be able to act through the connected Google Docs permissions.
The skill relies on a Maton API key and a managed Google OAuth connection, giving delegated access to Google Docs through Maton.
The gateway proxies requests to `docs.googleapis.com` and automatically injects your OAuth token. ... Authorization: Bearer $MATON_API_KEY
Protect MATON_API_KEY, authorize only the intended Google account, review the scopes/connections in Maton, and revoke the connection if it is no longer needed.
Document contents, edits, and exports may pass through a third-party service, which matters for private or business documents.
The artifacts disclose that Google API requests and document data are routed through the Maton gateway rather than directly to Google.
本插件所有的 Google API 请求均通过带有 SSL 证书加密的 `https://gateway.maton.ai` 代理。
Use this only for documents you are comfortable routing through Maton, and review Maton's security, privacy, and retention practices.
Users have less context for verifying the publisher, update history, or upstream code provenance.
The registry metadata does not provide a source repository or homepage, which limits independent provenance review even though the included behavior is coherent.
Source: unknown Homepage: none
Install only if you trust the publisher and the Maton service; prefer a version with a verifiable source repository.