Google Docs Skill
PassAudited by ClawScan on May 10, 2026.
Overview
This is a coherent Google Docs API guide, but it requires Google OAuth tokens and can create or edit documents, so protect credentials and confirm document changes.
Before using this skill, understand that it can access and modify Google Docs through your OAuth token. Keep client secrets, refresh tokens, and access tokens private; do not paste token output into shared chats or logs; verify document IDs before edits; and revoke the OAuth grant if you stop using the skill.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone or any agent with these tokens could use the granted Google Docs API permissions until the token is revoked.
The skill requires Google OAuth credentials, including a refresh token. This is expected for Google Docs integration, but it grants delegated account access and is not reflected in the registry credential metadata.
export GOOGLE_CLIENT_SECRET="your-client-secret" export GOOGLE_REFRESH_TOKEN="your-refresh-token"
Use a dedicated OAuth client if possible, keep tokens out of chat and logs, store them only in a secure local environment, and revoke the refresh token when no longer needed.
Mistaken or overly broad instructions could modify the wrong Google document or insert unintended content.
The skill documents direct Google Docs batchUpdate calls, which can change document content. This matches the stated purpose but is a mutating account action.
f'https://docs.googleapis.com/v1/documents/{doc_id}:batchUpdate',
data=data,
method='POST'Confirm the target document ID and requested edits before running update operations, and prefer small reversible changes.
Running copied code locally can expose OAuth codes or tokens if the code is modified or executed in an untrusted environment.
The one-time OAuth setup uses a local Python script that opens a browser and listens on localhost to capture the authorization code. This is standard OAuth plumbing and user-directed, not automatic installation behavior.
webbrowser.open(auth_url) ... server = HTTPServer(('localhost', 8080), OAuthHandler)Review the setup snippet before running it, run it only on a trusted machine, and ensure the redirect URI and token endpoint are Google's official endpoints.