gogcli for OpenClaw
gogcli is an open-source Go CLI by Peter Steinberger (steipete) that exposes Gmail and Google Calendar to OpenClaw agents. Here's what it does, how to install it, whether it's safe, and how PortEden adds the access controls and audit log gogcli doesn't ship.
gogcli · google · gmail · calendar · openclaw
The capability, in one paragraph
gogcli is a solid, no-frills bridge between an OpenClaw agent and Google Workspace — exactly what its README says it is. What it explicitly does not provide is the layer above the API: no per-agent access scoping, no visibility filtering, no contact or domain block-lists, no field-level redaction, no audit trail of what the agent actually saw or did, no one-click revocation. Once the agent has the OAuth token, it has the same access the token allows. For personal use on low-risk data, that's fine. For any inbox that contains client correspondence, legal threads, or regulated data, you need an access layer that sits between gogcli and the agent. That's what PortEden adds.
A few flags, predictable output
Is gogcli safe to use?
gogcli itself is open source, actively maintained, and stores credentials in your OS keychain — not in plaintext files. The 'safe' question is really about what the agent can do once gogcli is connected: gogcli does not restrict the agent's actions in any way. If you want safety guardrails (read-only mode, draft-only sending, contact blocking, audit logs), you need to put a control layer between gogcli and the agent — which is exactly what PortEden does.
gogcli vs gws (Google Workspace CLI)
gws is Google's own developer sample. It covers more of Google Workspace (Drive, Docs, Sheets, Chat in addition to email/calendar) but is explicitly 'not officially supported' and has the same fundamental gap as gogcli: no access controls, no audit trail. Pick gws if you need broad Workspace coverage; pick gogcli for tighter Gmail/Calendar focus. Pick PortEden if you need either provider plus Outlook and want enforceable rules.
gogcli + PortEden = the access layer gogcli is missing
PortEden runs as a proxy between OpenClaw and Google. Configure gogcli to call PortEden's API instead of Gmail/Calendar directly, and every request is filtered through your access rules: visibility, contact blocking, action limits, time windows, account scope, and field-level redaction. Every request is logged. One click revokes the agent's access entirely.
Five minutes, three commands
Install gogcli (macOS / Linux / Windows)
gogcli is a single Go binary. Install with go install, or download a pre-built release.
# Go install (any platform with Go 1.21+)go install github.com/steipete/gogcli/cmd/gog@latest # Windows: also available as a release binary# https://github.com/steipete/gogcli/releasesAuthenticate with your Google Cloud project
gogcli requires a Google Cloud OAuth client (Desktop app type). Create credentials in console.cloud.google.com, download the client secret JSON, and run gog auth login. Refresh tokens land in the OS keychain.
gog auth login --credentials ./client_secret.json gog auth status Layer PortEden on top for access controls + audit
Without PortEden, the agent has every permission the OAuth token allows. With PortEden, every call gogcli makes is filtered through your rules and logged. Start free.
# Install PortEden's CLI alongside gogclibrew install porteden/tap/porteden porteden auth login # Then route OpenClaw to call porteden instead of gogcli directly# (or run both and compare audit logs)PortEden free — the audit log + rule engine for gogcli.
Keep gogcli for Gmail and Calendar; route through PortEden so every call is filtered, redacted, and logged. Five minutes to set up.
Related Resources
Related Skills
Use gogcli with the guardrails it was never going to ship.
gogcli is a fine bridge. PortEden gives you the access controls, audit trail, and one-click revocation that any agent touching a real inbox needs.
Regulated org or 200+ seats? Talk to sales →