Skip to content
OpenClawAI Agent SecurityEmail SecurityCalendar Security

How OpenClaw Connects AI Agents to Your Email and Calendar

A comprehensive guide to how OpenClaw skills, CLIs, and OAuth tokens give AI agents access to Gmail and Outlook, and how PortEden adds the security layer that is missing.

10 min readPortEden Team

OpenClaw has become the standard way for AI agents to interact with external tools and data. With over 10,000 skills available on ClawHub, agents like Claude, ChatGPT, GitHub Copilot, and Gemini can now read your email, manage your calendar, send messages, and modify events on your behalf.

But how does this actually work? What happens when your AI agent reads your inbox or books a meeting? Understanding the data flow is the first step to securing it. In this guide, we break down the full chain from AI agent to email provider, explain where the security gaps are, and show how PortEden fills them.

What Is OpenClaw and How Does It Work?

OpenClaw is an open protocol that standardizes how AI agents connect to external tools and data sources. Think of it as a universal adapter. Instead of every AI agent building custom integrations for Gmail, Outlook, Slack, and hundreds of other services, OpenClaw provides a single protocol that any agent can use.

The architecture has three layers:

  • Host: The AI application you interact with. Claude Desktop, ChatGPT, VS Code with Copilot, or any other OpenClaw-compatible agent.
  • Skill Runtime: The OpenClaw layer that manages skill discovery, execution, and communication. When your agent decides it needs to check your calendar, the runtime knows which skill to call and how to call it.
  • Skills: Individual tools that connect to specific services. Each skill is a small program (often a CLI binary) that knows how to talk to one service, like Gmail or Google Calendar. Skills are installed from ClawHub, the official skill marketplace.

How Skills Use CLIs to Access Your Data

This is the part most people do not realize. When your AI agent "reads your email" or "checks your calendar," it is not making API calls directly. The agent tells OpenClaw what it wants, and OpenClaw executes a CLI command on your machine.

For example, when you ask Claude "What is on my calendar today?", here is what actually happens:

  1. Claude interprets your request and decides it needs calendar data.
  2. OpenClaw looks up the installed calendar skill and finds the CLI binary it should execute.
  3. OpenClaw runs the skill's CLI command, something like: calendar-tool events --today --json
  4. The CLI authenticates with the email or calendar provider using a stored OAuth token or API key.
  5. The provider (Google, Microsoft) returns the data.
  6. The CLI formats the response as JSON and passes it back through OpenClaw to the agent.
  7. Claude reads the JSON and answers your question in natural language.

Every operation follows the same pattern. Reading email, sending messages, creating calendar events, and deleting items all flow through the skill's CLI. The agent never talks to Gmail or Outlook directly. The CLI binary is the bridge.

The quality of that bridge matters. Some skills return raw API responses from Google or Microsoft, bloated with metadata, nested structures, and fields the agent does not need. Others strip the noise and return clean, compact output. This difference has a direct impact on response quality and cost, which we cover in the PortEden section below.

How OAuth Connects the CLI to Your Email Provider

For the CLI to access your Gmail or Outlook data, it needs permission from your email provider. This is handled through OAuth, the same authorization protocol that powers "Sign in with Google" buttons across the web.

When you first set up the CLI, you authenticate through a browser flow. The CLI opens your browser, you sign in to your Google or Microsoft account, and you grant access. The provider issues an OAuth token, and the CLI stores it securely on your machine (in Keychain on macOS, Credential Manager on Windows, or Secret Service on Linux).

From that point on, every CLI command uses that token to authenticate with the provider's API. The token is what gives the CLI, and by extension your AI agent, access to your data.

Here is the problem. OAuth tokens are typically broad. A Gmail token might grant gmail.modify access, which includes reading, sending, labeling, and deleting email. A Google Calendar token might include full read and write access to every calendar on your account. Even if your agent only needs to check your schedule, the token allows it to create, modify, and delete events.

Without PortEdenAI AGENT(Claude, ChatGPT...)OPENCLAWSkill RuntimeEMAIL / CALENDAR SKILL(CLI binary)GOOGLEGmail + CalendarMICROSOFTOutlook Email + CalendarFull access, no rules, no auditOAuth token gives read/write/delete
With PortEdenAI AGENT(Claude, ChatGPT...)OPENCLAWSkill RuntimePORTEDEN SKILL(PortEden CLI)PORTEDEN DATA FIREWALLVisibilityContact RulesAction LimitsTime WindowsData ReductionAudit TrailGOOGLEGmail + CalendarMICROSOFTOutlook Email + CalendarEvery request filtered, logged, and enforced

Left: default OpenClaw setup with a generic email skill connecting directly to providers. Right: PortEden skill adds six layers of security between the agent and your data.

The Security Gaps in the Default Setup

The default OpenClaw setup has no security layer between the AI agent and your data. Once the skill has an OAuth token, it has full access. There are several specific gaps that put your data at risk.

No Visibility Controls

When the agent queries your calendar, it gets everything: meeting titles, attendee email addresses, descriptions, locations, video call links, and private notes. There is no way to say "show free/busy only" or "hide attendee lists." The agent sees your full schedule in complete detail.

No Action Limits

If the OAuth token allows writing, the agent can write. There is no built-in mechanism to restrict an agent to read-only access or to force emails into draft mode instead of sending them directly. A misinterpreted instruction can result in deleted events, cancelled meetings, or sent emails that you never reviewed.

No Contact Filtering

The agent can see emails and meetings involving anyone in your inbox or calendar. Conversations with your lawyer, HR department, medical providers, or personal contacts are all visible. There is no way to block specific senders or domains from the agent's view.

No Audit Trail

OpenClaw does not log what the agent accessed, when, or what data was returned. If something goes wrong, you have no record of what happened. You cannot review what the agent saw or what actions it took.

Token Bloat from Raw API Responses

Even with compact JSON output, raw calendar and email API responses contain far more data than the agent needs. Every extra field wastes tokens, increases the chance of hallucination, slows responses, and raises API costs. Without a filtering layer, the agent ingests everything.

Real-World Risks: What Has Gone Wrong

These are not theoretical concerns. The OpenClaw ecosystem has seen serious security incidents in 2025 and 2026.

  • Inbox deletion: An AI safety director had their entire email inbox deleted when an agent "optimized" their mailbox by removing over 200 messages, despite instructions not to delete anything.
  • Malicious skills on ClawHub: Security researchers found over 800 malicious skills out of 10,700 on ClawHub. Some skills silently forwarded all emails to external addresses. Others injected hidden instructions into responses.
  • ClawJacked vulnerability (CVE-2026-25253): A flaw that allowed attackers to hijack OpenClaw sessions and steal OAuth tokens in milliseconds. Over 40,000 systems were affected before a patch was released.
  • Prompt injection via email: Attackers embedded hidden instructions in email bodies that manipulated AI agents into forwarding sensitive data to external addresses. The emails looked normal to humans but contained instructions the agent followed.

What PortEden Adds: The Missing Security Layer

PortEden is a data firewall that sits between the OpenClaw skill and your email or calendar provider. Instead of the CLI talking directly to Google or Microsoft, every request passes through PortEden's rules engine first. Here is how it changes each stage of the data flow.

How It Works in Practice

PortEden replaces generic email and calendar skills with its own: porteden/calendar and porteden/email. These skills use the PortEden CLI as their underlying binary. When your agent asks for calendar or email data, OpenClaw runs the PortEden CLI instead of a generic skill. The CLI authenticates with PortEden using an API key, and PortEden handles the connection to Google or Microsoft on your behalf, applying your security rules to every request.

The setup takes about five minutes:

  1. Install the PortEden CLI (Homebrew, install script, or Go install).
  2. Install the skills: clawhub install porteden/calendar and clawhub install porteden/email.
  3. Authenticate: porteden auth login (opens your browser).
  4. Add your API key to the OpenClaw config at ~/.openclaw/openclaw.json.
  5. Connect your Google or Microsoft account through the PortEden dashboard at my.porteden.com.

From that point on, every request your AI agent makes flows through PortEden's rules before reaching your email or calendar provider.

Six Layers of Access Control

PortEden applies six configurable layers to every request:

  1. Visibility: Control how much the agent sees. Show full event details, or restrict to free/busy status only. Show email subject lines but redact the body. Show senders but hide recipients.
  2. Contact Rules: Block the agent from seeing any data involving specific people or domains. Emails from your lawyer, meetings with HR, personal appointments, all invisible to the agent.
  3. Action Limits: Restrict what the agent can do. Read-only means no sending, no deleting, no creating events. Draft-only mode lets the agent compose emails that you review before they are sent.
  4. Time Windows: Limit how far back and forward the agent can see. Allow access to the next two weeks but block all historical data. This prevents mining months of past emails or meetings.
  5. Account Scope: If you have multiple calendars or inboxes, choose which ones the agent can access. Work calendar only, personal inbox excluded.
  6. Data Reduction: Field-level redaction that removes sensitive fields before the data reaches the agent. Meeting titles visible but attendee lists hidden. Email headers visible but body content redacted.

Context Hygiene: Better Data, Better Answers

Beyond security, PortEden delivers cleaner data to your AI agent. Raw email and calendar API responses from Google and Microsoft are full of nested structures, timezone metadata, organizer objects, and fields that waste tokens without improving the agent's response.

PortEden reduces token usage by roughly 80%. A typical calendar event response drops from around 180 tokens to 35 tokens. An email listing goes from hundreds of tokens per message to a clean, flat structure the agent understands immediately. Fewer tokens in means better answers out, fewer hallucinations, faster responses, and lower API costs.

Full Audit Trail

Every request is logged: what the agent asked for, what data was returned, what was blocked or redacted, and whether any write operations were attempted. The audit trail shows HTTP method, endpoint, status code, and response time. If anything goes wrong, you know exactly what happened.

One-Click Revocation

If you suspect a compromise, or simply want to cut off agent access, one click revokes all access across every connected provider. No hunting through OAuth settings, no revoking tokens one by one. Instant. Complete.

Direct OpenClaw vs. PortEden: Side-by-Side Comparison

CapabilityDirect OpenClawWith PortEden
Visibility controlFull access, no filteringFree/busy, field-level redaction
Contact blockingNot availablePer-contact and per-domain rules
Action limitsWhatever OAuth allowsRead-only, draft-only, write
Time windowFull history exposedConfigurable past/future limits
Token usageBloated API responses~80% reduction (context hygiene)
Audit trailNo loggingEvery request logged
RevocationManual OAuth token revocationOne-click, all providers
Prompt injection defenseNoneRedacted content reduces attack surface

Getting Started

If you are already using OpenClaw with an email or calendar skill, switching to PortEden takes minutes. Install the PortEden skills, authenticate, and configure your access rules. Your agent keeps the same capabilities, but every request now flows through your rules.

If you are new to OpenClaw, the PortEden OpenClaw setup guide walks you through the full installation in five steps. There is a free tier that includes all core security features.

For the full CLI reference, including every calendar and email command, see the CLI commands documentation.

The Bottom Line

OpenClaw gives AI agents powerful access to your email and calendar through a simple, standardized protocol. The skill installs a CLI on your machine, authenticates with OAuth, and executes commands on behalf of your agent. It works well. It is also completely unguarded by default.

The protocol has no built-in visibility controls, no contact filtering, no action limits, no audit trail, and no easy way to revoke access. Every one of those gaps has led to real incidents: deleted inboxes, stolen tokens, malicious skills, and unauthorized data access.

PortEden fills every gap. Six layers of access control, context hygiene that cuts token usage by 80%, a complete audit trail, and one-click revocation. Same agent, same skills, same functionality. Just secure.

Your data. Your rules.

Ready to secure your OpenClaw agent?

Install PortEden skills and start protecting your email and calendar in under 5 minutes.

OpenClaw Setup GuideCLI CommandsDocumentation

Continue Reading

OpenClawEmail Security

How to Secure Your Email When Using OpenClaw

8 min read

OpenClawCalendar Security

How to Secure Your Calendar When Using OpenClaw

7 min read