Third-party · Grok Build Skill

gogcli for Grok Build

gogcli is an open-source Go CLI by Peter Steinberger (steipete) that exposes Gmail and Google Calendar to Grok Build agents. Here's what it does, how to install it, whether it's safe, and how PortEden adds the access controls and audit log gogcli doesn't ship.

View on ClawHub

gogcli · google · gmail · calendar · openclaw

What it does

The capability, in one paragraph

gogcli is a Go-based command-line tool that wraps Google's Gmail and Google Calendar APIs in a shape Grok Build agents can call. It ships as a single binary, authenticates via OAuth 2.0 against your own Google Cloud project, and stores refresh tokens in the OS keychain (macOS Keychain, Windows Credential Manager, Linux secret-service). Supported operations cover the Gmail message lifecycle (search with Gmail query syntax, read, send, reply, forward, label, delete) and the Google Calendar event lifecycle (list, create, update, delete, free/busy). It's available as an Grok Build skill on ClawHub and supports multi-account plus service-account delegation for enterprise use. gogcli is Google-only. It does not support Outlook, Exchange, or Microsoft Graph.

Why it matters

gogcli is a solid, no-frills bridge between an Grok Build agent and Google Workspace — exactly what its README says it is. What it explicitly does not provide is the layer above the API: no per-agent access scoping, no visibility filtering, no contact or domain block-lists, no field-level redaction, no audit trail of what the agent actually saw or did, no one-click revocation. Once the agent has the OAuth token, it has the same access the token allows. For personal use on low-risk data, that's fine. For any inbox that contains client correspondence, legal threads, or regulated data, you need an access layer that sits between gogcli and the agent. That's what PortEden adds.

How it works

A few flags, predictable output

Is gogcli safe to use?

gogcli itself is open source, actively maintained, and stores credentials in your OS keychain — not in plaintext files. The 'safe' question is really about what the agent can do once gogcli is connected: gogcli does not restrict the agent's actions in any way. If you want safety guardrails (read-only mode, draft-only sending, contact blocking, audit logs), you need to put a control layer between gogcli and the agent — which is exactly what PortEden does.

gogcli vs gws (Google Workspace CLI)

gws is Google's own developer sample. It covers more of Google Workspace (Drive, Docs, Sheets, Chat in addition to email/calendar) but is explicitly 'not officially supported' and has the same fundamental gap as gogcli: no access controls, no audit trail. Pick gws if you need broad Workspace coverage; pick gogcli for tighter Gmail/Calendar focus. Pick PortEden if you need either provider plus Outlook and want enforceable rules.

gogcli + PortEden = the access layer gogcli is missing

PortEden runs as a proxy between Grok Build and Google. Configure gogcli to call PortEden's API instead of Gmail/Calendar directly, and every request is filtered through your access rules: visibility, contact blocking, action limits, time windows, account scope, and field-level redaction. Every request is logged. One click revokes the agent's access entirely.

Install

Five minutes, three commands

Install the PortEden CLI

Grok Build skills delegate every API call to the porteden binary. Install once with Homebrew or Go — the agent runtime invokes it on your behalf.

brew install porteden/tap/porteden 
# or
go install github.com/porteden/cli/cmd/porteden@latest

Authenticate

Browser-based login is recommended — credentials are written to your OS keyring. Token-based login is available for headless environments.

porteden auth login 
# headless / CI
porteden auth login --token <PE_API_KEY> 
porteden auth status

Add gogcli to your Grok Build skills directory

Grok Build loads SKILL.md files from .grok/skills/. Drop the canonical SKILL.md into that directory and Grok picks it up on next session.

mkdir -p .grok/skills/gogcli 
curl -fsSL https://porteden.com/skills/grok-build/gogcli/SKILL.md \ 
  -o .grok/skills/gogcli/SKILL.md

Try it on your data

Install gogcli — Google CLI for Grok Build Agents in five minutes. No credit card required.

Free tier covers personal Gmail, Outlook, Google Calendar, and Drive accounts. Upgrade for organization-wide policy and audit log.

See pricing

Related Resources

Blog — gogcli vs gws vs PortEden

Full comparison across features, security, and AI agent readiness.

Open

Solution — Secure Gmail for AI Agents

How PortEden's six-layer access model applies to Gmail specifically.

Open

Grok Build provider page

How Grok Build agents connect to PortEden's data firewall.

Open

Risk Brief — Connecting email to AI

GDPR, HIPAA, ABA Op. 512, and NDA exposure when AI touches email.

Open

Peter Steinberger (steipete) — third-party · · Open source

Source on ClawHub

Related Skills

Grok Build · Email

Secure OpenClaw Gmail Skill

Read, search, send, reply, and triage Gmail from an OpenClaw loop with explicit confirmation on every mutation and PortEden redaction on every fetched body.

View skill v1.0.0

Grok Build · Calendar

Secure OpenClaw Google Calendar Skill

Read, search, create, update, delete, and respond to Google Calendar events with confirmation gates on every mutation and PortEden enforcement on every read.

View skill v1.0.0

Grok Build · Email

Secure OpenClaw Email (Gmail, Outlook, Exchange) Skill

One install gives an OpenClaw agent policy-controlled access to all three mail backends — with field-level redaction applied before a single token leaves your network.

View skill v1.0.5

Install gogcli — Google CLI for Grok Build Agents Without Inheriting the Audit Tail

Browser auth, keyring-bound credentials, server-side audit log. The same data firewall behind every PortEden integration — wrapped for xAI's Grok Build runtime.

Talk to sales

Regulated org or 200+ seats? Talk to sales →