Google Workspace CLI (gws)
WarnAudited by ClawScan on May 18, 2026.
Overview
This appears to be a legitimate Google Workspace CLI integration, but it can give an agent very broad read/write/send/admin access to a Google Workspace account.
Install this only if you intentionally want OpenClaw or another agent to manage Google Workspace. Use least-privilege OAuth scopes or a dedicated low-privilege account, avoid all-service MCP mode, require confirmation for sends/shares/admin changes, and verify the official package before installing.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If an agent or MCP client misuses these tools, it could send emails, change calendars or documents, share Drive files, post Chat messages, or alter Workspace administration settings.
The skill exposes broad mutating Google Workspace operations, including sending email and admin/user management, and documents an all-services MCP mode without artifact-level approval or containment requirements.
Drive — files, folders, sharing, permissions ... Gmail — messages, labels, drafts, send ... Admin — users, groups, org units ... # Start MCP server (all services) gws mcp
Avoid all-service mode by default, enable only the exact services needed with `-s`, require explicit human confirmation for send/share/delete/admin actions, and use dry-run or read-only workflows where possible.
Authorizing this tool with a privileged Google account or service account could let the agent act with significant account or organization-level permissions.
The skill uses OAuth or service-account credentials that can carry broad Google Workspace authority; the artifacts do not clearly bound scopes, tenant privileges, or which accounts should be used.
gws auth setup # creates GCP project, enables APIs, logs in ... Set: `export GOOGLE_WORKSPACE_CLI_CREDENTIALS_FILE=/path/to/credentials.json` ... Service Account ... `export GOOGLE_WORKSPACE_CLI_CREDENTIALS_FILE=/path/to/service-account.json`
Use a dedicated low-privilege account or OAuth client, grant only necessary scopes, avoid domain-admin service accounts unless strictly required, and know how to revoke the tokens afterward.
Sensitive emails, documents, files, calendars, or workspace metadata could enter an AI client context or logs, and the client could potentially trigger write actions.
The MCP mode can expose Gmail, Drive, Docs, Sheets, Calendar, and other Workspace data/actions to external agent clients, but the artifact does not define client trust boundaries, data minimization, or per-client authorization.
`gws` can act as an MCP server, exposing all Workspace APIs as structured tools for Claude, Cursor, VS Code, etc.
Connect the MCP server only to trusted clients, restrict it to needed services, avoid exposing highly sensitive mail/docs/admin APIs, and shut it down or revoke credentials when not in use.
The safety of the installed tool depends on the external package and source actually being the intended Google Workspace CLI.
The skill depends on installing and running an external CLI package or repository. This is purpose-aligned, but the provided scan context contains no package source or lockfile for verification.
npm install -g @googleworkspace/cli # or: cargo install --git https://github.com/googleworkspace/cli --locked # or: nix run github:googleworkspace/cli
Verify the package name, publisher, repository URL, and version before installing; prefer pinned or trusted installation methods where available.