Skip to content
Marketplace · Drive & Docs
Drive & Docs skillsVerifiedUpdated May 8, 2026

Secure Google Drive Skill

List, search, upload, organize, share, and manage Google Drive files from an OpenClaw agent — with permission changes audited and risky scopes blocked at the firewall.

View on ClawHub

google-drive · files · permissions · sharing

What this skill does
PortEden Drive gives an OpenClaw agent the file-management surface a virtual assistant actually needs — list, search, upload, create folders, rename, move, share, and adjust permissions — through one binary that keeps every mutation in PortEden's audit log. Where Drive automations usually go wrong is permission scope: an agent grants "anyone with the link" access while normalizing a filename, or makes a folder public while emptying its trash. The skill ships with PortEden's default-deny policy on permission changes; risky scopes (anyone, anyoneWithLink, allow link sharing) require explicit token policy to enable.

Example

Prompt

Share the 'Q2 Board Deck' with dana@board.com as a viewer, and make sure it isn't public.

Output
File: Q2 Board Deck (google:1Bx...)
ok  shared with dana@board.com   role=reader
no  link sharing: anyoneWithLink denied by default policy

Audit: who / with-whom / role / visibility logged.
Required tools
Google Drive
Compatible agents
OpenClawGrok BuildAny CLI-compatible agent

Add to your agent

Steps 1–2 are identical for every agent — install the porteden binary and authenticate once. Step 3 registers the skill with your runtime.

1

Install the PortEden CLI

OpenClaw skills delegate every API call to the porteden binary. Install once with Homebrew or Go.

brew install porteden/tap/porteden 
# or
go install github.com/porteden/cli/cmd/porteden@latest
2

Authenticate

Browser-based login is recommended — credentials are written to your OS keyring. Token-based login is available for headless environments.

porteden auth login 
# headless / CI
porteden auth login --token <PE_API_KEY> 
porteden auth status
3

Install the porteden-drive skill

OpenClaw fetches the signed skill bundle and registers its commands with the agent.

openclaw skills install porteden-drive

The SKILL.md

The canonical, copy-paste-able skill definition your agent loads.

SKILL.md · porteden-drive · v1.0.0 · MIT-0

porteden drive

Use porteden drive for Google Drive file and folder management. Use -jc flags for AI-optimized output.

If porteden is not installed: brew install porteden/tap/porteden (or go install github.com/porteden/cli/cmd/porteden@latest).

Setup (once)

  • Browser login (recommended): porteden auth login — opens browser, credentials stored in system keyring
  • Direct token: porteden auth login --token <key> — stored in system keyring
  • Verify: porteden auth status
  • If PE_API_KEY is set in the environment, the CLI uses it automatically (no login needed).
  • Drive access requires a token with driveAccessEnabled: true and a connected Google account with Drive scopes.

Drive commands (porteden drive)

  • List files: porteden drive files -jc
  • Search by keyword: porteden drive files -q "budget report" -jc
  • Filter by folder: porteden drive files --folder google:0B7_FOLDER_ID -jc
  • Filter by MIME type: porteden drive files --mime-type application/pdf -jc
  • Filter by name: porteden drive files --name "Q1" -jc
  • Shared with me: porteden drive files --shared-with-me -jc
  • Modified in range: porteden drive files --modified-after 2026-01-01 --modified-before 2026-02-01 -jc
  • All files (auto-paginate): porteden drive files --all -jc
  • Get file metadata: porteden drive file google:FILEID -jc
  • Get view/download links: porteden drive download google:FILEID -jc
  • List permissions: porteden drive permissions google:FILEID -jc
  • Upload file: porteden drive upload --file ./report.pdf --name "Q1 Report.pdf"
  • Upload to folder: porteden drive upload --file ./data.csv --name "Data.csv" --folder google:0B7_FOLDER
  • Create folder: porteden drive mkdir --name "Project Files"
  • Create folder in folder: porteden drive mkdir --name "Reports" --parent google:0B7_FOLDER
  • Rename: porteden drive rename google:FILEID --name "New Name.pdf"
  • Move: porteden drive move google:FILEID --destination google:0B7_DEST_FOLDER
  • Share with user: porteden drive share google:FILEID --type user --role reader --email user@example.com
  • Share with domain: porteden drive share google:FILEID --type domain --role reader --domain example.com
  • Share publicly: porteden drive share google:FILEID --type anyone --role reader
  • Delete (trash): porteden drive delete google:FILEID (prompts) or porteden drive delete google:FILEID -y

Notes

  • Credentials persist in the system keyring after login. No repeated auth needed.
  • Set PE_PROFILE=work to avoid repeating --profile.
  • -jc is shorthand for --json --compact: strips noise, limits fields, reduces tokens for AI agents.
  • File IDs are always provider-prefixed (e.g., google:1BxiMVs0XRA5...). Pass them as-is.
  • porteden drive files --all auto-paginates (safety cap: 50 pages). Check hasMore in JSON output.
  • porteden drive download returns URLs only — no binary content is streamed.
  • accessInfo in responses describes active token restrictions. Always check it to understand what data may be limited.
  • authWarnings in list responses indicate provider connection issues.
  • delete moves to trash (reversible). Files can be restored from Google Drive trash.
  • Confirm before sharing or deleting files.
  • Environment variables: PE_API_KEY, PE_PROFILE, PE_FORMAT, PE_COLOR, PE_VERBOSE.

How it works

01

google: prefixed file IDs

Every command accepts file IDs in the form google:1BxiMVs0XRA5… so the agent can carry IDs across skills (Docs, Sheets, Drive) without re-fetching. Listing returns this prefix in the id field.

02

Permission changes are audited and policy-gated

share writes a structured event to the audit log: who shared, with whom, role, link visibility. Token policy controls whether anyone / anyoneWithLink scopes are accepted at all — the upstream Drive call is not made when policy refuses.

03

Destructive ops trash, don't delete

delete moves the file to Drive's trash by default. Use --permanent to skip trash, but only with --yes; PortEden's default token policy denies --permanent until explicitly enabled.

Deploy org-wide

The same firewall behind every PortEden skill

  • Provision to teams with role-based access policies
  • Identity-aware execution — every call ties back to a user
  • Signed, version-pinned skills
  • Full audit trail on every tool call
  • Field-level redaction at egress
See enterprise controls
PortEden · v1.0.0 · MIT-0
Source on ClawHub

Frequently asked questions

What stops the agent from making a file public by mistake?
Risky scopes (anyone, anyoneWithLink, link sharing) are default-deny. The upstream Drive call is not made unless token policy explicitly enables that scope.
Is every permission change recorded?
Yes. share writes a structured event to the audit log: who shared, with whom, the role, and link visibility.
Does delete permanently remove files?
No. delete moves the file to Drive's trash by default. --permanent requires --yes and is denied by default token policy until you enable it.
Which agents can install it?
OpenClaw, Grok Build, or any CLI-compatible agent through the porteden binary.

Related Skills

Install Secure OpenClaw Google Drive Skill Without Inheriting the Audit Tail

Browser auth, keyring-bound credentials, server-side audit log. The same data firewall behind every PortEden integration.

Talk to sales

Regulated org or 200+ seats? Talk to sales →