Secure Grok Build Google Docs Skill
Permission-aware document operations for Google Docs — create, read, append, share, rename, export — every write logged to PortEden's audit trail.
google-docs · documents · editing · permissions
porteden docs
Use porteden docs for Google Docs content operations and file management. Use -jc flags for AI-optimized output.
If porteden is not installed: brew install porteden/tap/porteden (or go install github.com/porteden/cli/cmd/porteden@latest).
Setup (once)
- Browser login (recommended):
porteden auth login— opens browser, credentials stored in system keyring - Direct token:
porteden auth login --token <key>— stored in system keyring - Verify:
porteden auth status - If
PE_API_KEYis set in the environment, the CLI uses it automatically (no login needed). - Drive access requires a token with
driveAccessEnabled: trueand a connected Google account with Drive scopes.
Docs commands (porteden docs)
Content
- Create new doc:
porteden docs create --name "Meeting Notes" - Create in folder:
porteden docs create --name "Brief" --folder google:0B7_FOLDER - Read content (plain text):
porteden docs read google:DOCID - Read structured (full Google Docs API JSON):
porteden docs read google:DOCID --format structured -j - Append text:
porteden docs edit google:DOCID --append "New paragraph." - Insert at start:
porteden docs edit google:DOCID --insert "Header text" --at 1 - Find and replace:
porteden docs edit google:DOCID --find "old text" --replace "new text" - Multiple replacements:
porteden docs edit google:DOCID --find "foo" --replace "bar" --find "baz" --replace "qux" - Bulk ops from file:
porteden docs edit google:DOCID --ops-file ./ops.json
File management
- Get export links (pdf, docx, txt):
porteden docs download google:DOCID -jc - Share:
porteden docs share google:DOCID --type user --role writer --email user@example.com - Share publicly:
porteden docs share google:DOCID --type anyone --role reader - List permissions:
porteden docs permissions google:DOCID -jc - Rename:
porteden docs rename google:DOCID --name "New Title" - Delete (trash):
porteden docs delete google:DOCID -y
Ops file format
--ops-file accepts a JSON array of operations:
[
{"type": "appendText", "text": "New paragraph at end."},
{"type": "insertText", "text": "Header", "index": 1},
{"type": "replaceText", "find": "old phrase", "replace": "new phrase", "matchCase": true}
]Notes
- Credentials persist in the system keyring after login. No repeated auth needed.
- Set
PE_PROFILE=workto avoid repeating--profile. -jcis shorthand for--json --compact: strips noise, limits fields, reduces tokens for AI agents.- File IDs are always provider-prefixed (e.g.,
google:1BxiMVs0XRA5...). Pass them as-is. porteden docs readreturns plain text by default; use--format structuredfor full API JSON with headings and formatting.--findand--replaceare repeatable and must be used in matched pairs.--ops-fileis mutually exclusive with inline edit flags.porteden docs downloadreturns URLs only — no binary content is streamed.accessInfoin responses describes active token restrictions.deletemoves to trash (reversible). Files can be restored from Google Drive trash.- Confirm before sharing or deleting.
- Environment variables:
PE_API_KEY,PE_PROFILE,PE_FORMAT,PE_COLOR,PE_VERBOSE.
The capability, in one paragraph
Docs is where SMBs accumulate their most sensitive prose: client memos, board minutes, employee reviews, contract redlines. Every "summarize this for me" prompt against Gemini or Claude pastes that prose into a vendor model. PortEden Docs lets the agent produce, share, and triage docs without ever streaming the full body to the upstream model.
A few flags, predictable output
Read returns redacted content
docs read google:DOCID returns paragraph-structured JSON with PortEden's redaction policy applied. The structure (headings, lists, links) is preserved; identifier strings are masked unless the agent has consent to fetch raw.
Append vs replace edits
docs edit --append adds content to the end of the doc; --insert-at <index> places it at a paragraph index; --replace-range start:end overwrites. Append is the default because it composes safely with concurrent human edits.
porteden docs edit google:DOCID --append "## Status update\nAll items on track." Bulk operations via --ops-file
Bulk mode reads a JSON array of operations and applies them in order with one consolidated audit entry. The JSON schema mirrors the single-op CLI so testing is symmetric.
Five minutes, three commands
Install the PortEden CLI
Grok Build skills delegate every API call to the porteden binary. Install once with Homebrew or Go — the agent runtime invokes it on your behalf.
brew install porteden/tap/porteden # orgo install github.com/porteden/cli/cmd/porteden@latest Authenticate
Browser-based login is recommended — credentials are written to your OS keyring. Token-based login is available for headless environments.
porteden auth login # headless / CIporteden auth login --token <PE_API_KEY> porteden auth status Add porteden-docs to your Grok Build skills directory
Grok Build loads SKILL.md files from .grok/skills/. Drop the canonical SKILL.md into that directory and Grok picks it up on next session.
mkdir -p .grok/skills/porteden-docs curl -fsSL https://porteden.com/skills/grok-build/porteden-docs/SKILL.md \ -o .grok/skills/porteden-docs/SKILL.md Install Secure Grok Build Google Docs Skill in five minutes. No credit card required.
Free tier covers personal Gmail, Outlook, Google Calendar, and Drive accounts. Upgrade for organization-wide policy and audit log.
Related Skills
Install Secure Grok Build Google Docs Skill Without Inheriting the Audit Tail
Browser auth, keyring-bound credentials, server-side audit log. The same data firewall behind every PortEden integration — wrapped for xAI's Grok Build runtime.
Regulated org or 200+ seats? Talk to sales →