gog CLI: safe Google Workspace automation, JSON, auth, scoped reads/writes.
Copy the install command and let the AI configure it · recommended for beginners
Please install the "gog" skill from askskill: 1. Download https://raw.githubusercontent.com/openclaw/gogcli/main/.agents/skills/gog/SKILL.md 2. Save it as ~/.claude/skills/gog/SKILL.md 3. Reload skills and tell me it's ready
Use gog when built-in Google connectors are missing a feature, when shell
automation needs stable JSON, or when you need to inspect local Google auth
state before acting.
gog --version
gog auth list --check --json --no-input
gog auth doctor --check --json --no-input
gog schema --json
Pick the account explicitly for API work:
gog --account [email protected] gmail search 'newer_than:7d' --json --wrap-untrusted
Prefer --json --wrap-untrusted for agent parsing when reading Google content.
Human hints and progress should stay on stderr; stdout is for data.
GOG_KEYRING_PASSWORD is provided by a shell startup file or service
environment, use the matching shell/entrypoint so gog can unlock the file
keyring non-interactively. Do not print the value.GOG_KEYRING_BACKEND=file, GOG_KEYRING_PASSWORD, and HOME must be
present in the process that launches gog.--no-input in automation so auth/keyring prompts fail clearly.--dry-run first where commands support it.--force; do not add it unless the user asked
for that exact mutation.--gmail-no-send or GOG_GMAIL_NO_SEND=1 unless sending mail is the
requested task.docs/safety-profiles.md.Runtime command guards:
gog --enable-commands gmail.search,gmail.get --gmail-no-send \
--account [email protected] gmail search 'from:[email protected]' --json
gog --enable-commands drive.ls,docs.cat --disable-commands drive.delete \
--account [email protected] drive ls --max 10 --json
OAuth setup is partly interactive. An agent can inspect and diagnose it, but a human normally completes browser consent:
gog auth credentials list
gog auth add [email protected] --services all-user --force-consent
gog auth remove [email protected]
Default for existing human/user OAuth reauth: preserve broad service access.
Before reauth, run gog auth list --check --json --no-input and inspect the
account's existing services. When replacing an expired or revoked token, do
not silently reduce scope; prefer --services all-user --force-consent unless
the user explicitly asks for narrower scopes.
Use narrow services only for throwaway/test accounts, service-specific bot
accounts, explicit user requests, or scoped security experiments. Safety should
normally be enforced at command time with --enable-commands,
--disable-commands, --gmail-no-send, dry-runs, and account selection, not by
under-scoping durable user auth.
Service accounts are Workspace-only and mainly fit Admin, Groups, Keep, and
domain-wide delegation flows; they do not solve consumer @gmail.com OAuth.
For OpenClaw/systemd setups, run the diagnostic through the actual agent entrypoint after restarting the service:
openclaw agent --agent main --message \
'Run: gog auth doctor --check --no-input && gog gmail search "newer_than:1d" --max 1 --json'
If this fails with keyring.password while the same gog auth doctor works in
the shell, fix the service or agent environment before reauthenticating.
Remote Mac OAuth pattern:
gog auth add [email protected] --services all-user --force-consent --timeout 15m.open -a "Google Chrome".…
Fetch GitHub issues, create fixes, open PRs, and handle reviews.
Regenerate OpenClaw release changelog sections from Git history before releases.
Create and review technical docs and agent instruction files in repositories.
Verify an OpenClaw release is fully published and working across all channels.
Convert text to speech locally and offline with sherpa-onnx, no cloud needed.
Prepare and verify OpenClaw stable or beta releases and release notes.