Skip to content
CLI Tool
Google Drive

OpenClaw Google Drive CLI Security

Lock down Google Drive, Docs, and Sheets access for AI agents from your terminal. Define operation permissions, file-level firewall rules, and field visibility in a config file. Every Drive API request is filtered before your files are touched.

Connect PortEden to Google Drive (CLI)

npx @porteden/cli connect google-drive
Read full CLI setup docs

How PortEden Protects You

Six layers of security between AI and your data.

16 Operation Permissions as Config

Control exactly which Drive operations each agent can perform: list, search, read, upload, edit docs, write sheets, share, and more. Define them in a config file and version in git.

File-Level Firewall Rules

Restrict access by file ID, folder, or MIME type. Block agents from accessing HR spreadsheets or financial models while allowing access to project docs.

Field Visibility Masking

Control which metadata fields agents can see. Hide file owners, sharing links, and permissions from agent responses while keeping file content accessible.

Operation Presets for Quick Setup

Use shorthand presets like read_only, docs_read_only, sheets_all, or workspace_all to configure common permission sets in a single line of config.

Scope picking, shared-drive inheritance, and the 30 KB extraction limit

Drive has three scopes that look similar and aren't:

  • https://www.googleapis.com/auth/drive.readonly — read every file the user has access to, including files shared from outside the org. Use for read-only research agents only.
  • https://www.googleapis.com/auth/drive.file — read/write only files the app created or files the user explicitly opened via a Drive picker. Best default for write-capable agents.
  • https://www.googleapis.com/auth/drive — full access including organizational shared drives. Avoid unless the agent is owned by the workspace admin.

The OpenClaw Drive CLI picks the narrowest scope your config actually needs and refuses to request drive by default, even when the OAuth consent screen offers it.

File-ID vs folder-ID rules

# ~/.porteden/drive.yaml
agents:
  contracts_summarizer:
    operations: docs_read_only           # preset: list, get, export(text/plain)
    firewall:
      folder_allowlist:
        - "0AHr...contracts_root"        # folder ID
      mime_allowlist:
        - "application/vnd.google-apps.document"
      file_denylist:
        - "1Bxq...exec_comp.gsheet"      # never, even if shared in folder
      shared_drive_inheritance: explicit  # see below

Shared-drive permission inheritance: the gotcha

In a Shared Drive (formerly "Team Drive"), file permissions inherit from the drive root. If you allowlist a folder inside a shared drive, the agent inherits read access to any nested subfolder you didn't explicitly think about. shared_drive_inheritance: explicit forces the CLI to fail closed on any file whose parent chain isn't in folder_allowlist, which is the safer default for regulated data.

The 30 KB Drive Docs extraction limit

When you files.export(mimeType="text/plain") a Google Doc, the API truncates at 10 MB. That sounds generous, but agent context windows aren't — most workflows can only consume the first ~30 KB before the model is full. The CLI exposes body_max_kb: 32 in the config so an agent that hits a 9 MB design doc gets the executive summary, not a payload that blows the context window and forces a fallback to files.get with no body at all.

Field visibility for Drive metadata

Drive responses include owners, permissions, sharingUser, and lastModifyingUser — all PII the agent doesn't need to draft a summary. Use fields_visible to strip them at the proxy layer before the agent ever sees them.

Get Started in 3 Steps

1

Install — CLI or MCP

Install the PortEden CLI or add the cloud MCP connector to your AI client, then connect your Google account via Custom OAuth with Drive scopes.

2

Define Drive Security Rules

Configure operation permissions, file-level firewall rules, and field visibility in your config file.

3

Route Agents Through PortEden

Point your AI agents to the PortEden Drive API. Every request to Docs, Sheets, and files is filtered through your rules.

Without vs. With PortEden

Without PortEden

  • Raw Drive OAuth tokens stored in agent configs with full account access
  • No command-line tool for defining Drive access rules
  • Security configuration locked behind Google's point-and-click admin console
  • No way to restrict agents to specific files, folders, or document types

With PortEden

  • OAuth tokens stored securely by the CLI, never exposed to agents
  • Drive security rules defined in config files, versioned in git
  • File-level firewall blocks access to sensitive files and folders
  • Operation presets configure Docs, Sheets, and Drive permissions in one line

Related Solutions

Looking for guidance specific to your industry? See industry pages →

Ready to secure your data?

Set up PortEden in under 5 minutes. Free tier available.

Read the Docs