Google Workspace BYOK

客户托管密钥与 Workspace 合规相关配置提示；法律与合同条款以组织政策为准。

v1.0.0 kyesh

作者 / 来源

skillhub

在来源站打开

登录后收藏登录后加入合集

安装方式

CLI 安装（推荐）

claw install shub-google-workspace-byok

需要安装 CLAW CLI

手动下载安装

下载 ZIP 后解压到技能目录即可安装。若在桌面客户端 WebView中直接下载出现异常，本站会改为提示页 + 原始链接，请按页内说明操作。

下载 ZIP (shub-google-workspace-byok-v1.0.0.zip)

触发指令

/google-workspace-byok

跨平台安装指引

该技能声明兼容以下 1 个平台，将 ZIP 解压到对应目录即可被识别。

支持矩阵

Claude Code Coding Agent

macOS / Linux：~/.claude/skills/

Windows：%USERPROFILE%\.claude\skills\

unzip shub-google-workspace-byok-v1.0.0.zip -d ~/.claude/skills/

目录不存在时请先 mkdir -p 创建；启用 Skill 后请重启对应 Agent 让配置生效。

使用指南

Google Workspace BYOK

围绕 Google Workspace BYOK：客户托管密钥与 Workspace 合规相关配置提示；法律与合同条款以组织政策为准。无需在每次任务前把零散英文说明手工拼进上下文，也减少与客户端默认行为脱节的试错；具体命令、钩子与 JSON 参数仍以 ZIP 包内 SKILL.md 为权威。下文结构与站内 MCP CLI 类专题稿相同：何时用、前置、流程、速查与故障。

何时使用

客户托管密钥与 Workspace 合规相关配置提示
法律与合同条款以组织政策为准
已获取本技能 ZIP，并准备在 Claude Code / OpenClaw 中按 SKILL.md 挂载。
希望用中文专题稿快速判断「该不该启用」，再深入英文 SKILL 查参数与边界。
需要与团队对齐同一套触发方式、目录约定或回调格式时。

前置条件

通用：可运行 Claude Code 或文档要求的客户端；有可读写的项目工作区（或 SKILL.md 指定的沙箱目录）。
权威细节：API Key / OAuth、钩子路径、环境变量以 ZIP 内 SKILL.md 为准。

典型流程

从 ClawHub / 站内分发获取技能 ZIP，校验版本与校验和（若提供）。
阅读 SKILL.md 的安装段落：目录落点、客户端类型（Claude Code / OpenClaw / 脚本）。
用文档中的最小示例完成第一次调用（单文件修改、单次查询或单次委派）。
确认工作目录、权限边界与输出路径后，再处理多文件或长耗时任务。
需要回调 / Webhook / 通知时，按 SKILL.md 配置端点并在测试环境先验通。

与 ZIP / SKILL.md 的关系

站内专题稿与 MCP CLI 类 oss 稿同样：概括何时用、怎么接、怎么排错；命令模板、钩子名、JSON 字段、版本矩阵一律以 ZIP 内 SKILL.md 与 ClawHub 上游为准。

命令示例（摘自包内 SKILL.md）

以下为从上游 SKILL.md（或入库正文）自动抽取的终端/脚本片段；路径、环境变量与参数以当前 ZIP 与官方说明为准。

ClawHub slug：google-workspace-byok（安装命令以 SKILL.md / claw CLI 为准）。

cd {baseDir}/scripts && npm install

node {baseDir}/scripts/setup.js --credentials /path/to/downloaded-credentials.json

node {baseDir}/scripts/auth.js --account <label>

# List all calendars
node {baseDir}/scripts/calendar.js --account <label> --action list-calendars

# List upcoming events (default: next 7 days, primary calendar)
node {baseDir}/scripts/calendar.js --account <label> --action events

# List events with options
node {baseDir}/scripts/calendar.js --account <label> --action events --calendar <calendarId> --days <number> --max <number>

# Get a specific event
node {baseDir}/scripts/calendar.js --account <label> --action get-event --calendar <calendarId> --event-id <eventId>

# Check free/busy
node {baseDir}/scripts/calendar.js --account <label> --action freebusy --days <number>

# List recent emails (default: 10)
node {baseDir}/scripts/gmail.js --account <label> --action list

# Search emails
node {baseDir}/scripts/gmail.js --account <label> --action list --query "from:someone@example.com" --max 20

# Read a specific email (includes attachment metadata with IDs)
node {baseDir}/scripts/gmail.js --account <label> --action read --message-id <messageId>

# Download all attachments from an email
node {baseDir}/scripts/gmail.js --account <label> --action attachment --message-id <messageId> --out-dir /tmp/attachments

# Download a specific attachment
node {baseDir}/scripts/gmail.js --account <label> --action attachment --message-id <messageId> --attachment-id <id> --out-dir /tmp

# List labels
node {baseDir}/scripts/gmail.js --account <label> --action labels

# 1. Download the attachment
mkdir -p /tmp/attachments
node {baseDir}/scripts/gmail.js --account <label> --action attachment --message-id <id> --out-dir /tmp/attachments

# 2. Extract text from the PDF
node --input-type=module -e "
import * as mupdf from '{baseDir}/scripts/node_modules/mupdf/dist/mupdf.js';
import fs from 'fs';
const data = fs.readFileSync('/tmp/attachments/filename.pdf');
const doc = mupdf.Document.openDocument(data, 'application/pdf');
for (let i = 0; i < doc.countPages(); i++) {
  const page = doc.loadPage(i);
  console.log(page.toStructuredText('preserve-whitespace').asText());
}
"

# List configured accounts
node {baseDir}/scripts/accounts.js --action list

# Check token status
node {baseDir}/scripts/accounts.js --action status --account <label>

站内入库时的触发命令（完整语义见 ZIP）：

# 使用本技能时可在对话中引用或执行上述指令；完整参数与示例见下载包内 SKILL.md。
/google-workspace-byok

最佳实践

先 SKILL.md 再猜参数；站内专题稿不替代 schema 与必填字段说明。
委派任务时写清验收标准（命令、文件路径、测试命令），减少来回追问。
长任务用文档推荐的回调 / 日志落盘代替高频轮询，省 Token 也省机器负载。
多技能同时启用时，注意钩子加载顺序与重复工具调用（以 SKILL.md 冲突说明为准）。

调试与排错

打开 stderr 与客户端日志；PTY/tmux 场景同时看面板最后几十行输出。
参数错误时对照 SKILL.md 中的 JSON/CLI 示例（引号、转义、工作目录）。
网络类失败：查代理、防火墙、MCP 传输方式（stdio / HTTP / SSE）。

速查

| 动作 | 说明 | |------|------| | 获取技能包 | ClawHub / 站内 ZIP，核对版本 | | 权威步骤 | 优先阅读 ZIP 内 SKILL.md | | 首次试跑 | 使用 SKILL.md 最小示例 | | 验收 | 对照路径、测试命令或回调负载 |

常见故障

无输出或立即退出 → 工作目录错误、依赖未装、或 Claude Code 未登录；按 SKILL.md 自检清单执行。
权限被拒绝 → 检查沙箱路径、--permission-mode 与工具白名单。
与简介不符 → 以英文 SKILL 与上游仓库为准，站内稿仅作结构化导读。

# Google Workspace BYoK (Bring Your Own Key)

Direct Google Calendar and Gmail API access using your own GCP project OAuth2 credentials. Supports multiple Google accounts.

## Prerequisites

- **Node.js** (v18+)
- A **Google Cloud project** with Calendar and Gmail APIs enabled
- OAuth2 **Desktop app** credentials from your GCP project

## Setup

### Step 1: Install Dependencies

```bash
cd {baseDir}/scripts && npm install
```

This installs `googleapis` (Google API client) and `mupdf` (PDF text extraction for email attachments).

### Step 2: Create a Google Cloud Project

1. Go to [Google Cloud Console](https://console.cloud.google.com) and create a new project (or use an existing one)
2. Enable the **Google Calendar API** and **Gmail API**:
   - Go to **APIs & Services → Library**
   - Search for "Google Calendar API" → click **Enable**
   - Search for "Gmail API" → click **Enable**

### Step 3: Configure the OAuth Consent Screen

1. Go to **Google Auth Platform → Audience** ([direct link](https://console.cloud.google.com/auth/audience))
2. If prompted, configure the consent screen:
   - **App name**: anything (e.g., "OpenClaw")
   - **User support email**: your email
   - **Scopes**: skip (the auth script requests scopes at runtime)
3. If your app is in **Testing** publishing status (the default), add every Google account you want to authorize as a **test user**:
   - Under **Test users**, click **Add users**
   - Enter the email addresses of each account you'll connect
   - Save

> **⚠️ Important:** Apps in "Testing" status have a **7-day token expiry**. To get long-lived tokens, publish your app to "Production" in the Audience settings. For personal Gmail accounts (External user type), you can skip Google's verification review — you'll just see an "unverified app" warning during consent. This is fine for personal use.

### Step 4: Create OAuth Credentials

1. Go to **Google Auth Platform → Clients** ([direct link](https://console.cloud.google.com/auth/clients))
2. Click **Create Client** → choose **Desktop app** as the application type
3. Name it whatever you like (e.g., "OpenClaw")
4. Click **Create** and **download the credentials JSON**
5. Run the setup script:

```bash
node {baseDir}/scripts/setup.js --credentials /path/to/downloaded-credentials.json
```

This copies your credentials to `~/.openclaw/google-workspace-byok/credentials.json`.

### Step 5: Authorize Google Accounts

For each Google account you want to connect:

```bash
node {baseDir}/scripts/auth.js --account <label>
```

The `<label>` is a friendly name you'll use to reference this account (e.g., "personal", "work", "household").

**Auth flow:**
1. The script prints an authorization URL
2. Open the URL in your browser and sign in with the Google account
3. Grant the requested permissions
4. You'll be redirected to `http://localhost/...` — **the page won't load, and that's expected**
5. Copy the **full URL** from your browser's address bar and paste it back into the script
6. The script exchanges the code for tokens and saves them

**Scopes requested (default — read/write):**
- `calendar` — Full read/write access to Google Calendar
- `gmail.readonly` — Read-only access to Gmail

Pass `--readonly` to request read-only calendar access instead.

Tokens are stored in `~/.openclaw/google-workspace-byok/tokens/<label>.json`.

## Usage

All scripts are in `{baseDir}/scripts/`. Run them with `node`.

### Calendar

```bash
# List all calendars
node {baseDir}/scripts/calendar.js --account <label> --action list-calendars

# List upcoming events (default: next 7 days, primary calendar)
node {baseDir}/scripts/calendar.js --account <label> --action events

# List events with options
node {baseDir}/scripts/calendar.js --account <label> --action events --calendar <calendarId> --days <number> --max <number>

# Get a specific event
node {baseDir}/scripts/calendar.js --account <label> --action get-event --calendar <calendarId> --event-id <eventId>

# Check free/busy
node {baseDir}/scripts/calendar.js --account <label> --action freebusy --days <number>
```

### Gmail

```bash
# List recent emails (default: 10)
node {baseDir}/scripts/gmail.js --account <label> --action list

# Search emails
node {baseDir}/scripts/gmail.js --account <label> --action list --query "from:someone@example.com" --max 20

# Read a specific email (includes attachment metadata with IDs)
node {baseDir}/scripts/gmail.js --account <label> --action read --message-id <messageId>

# Download all attachments from an email
node {baseDir}/scripts/gmail.js --account <label> --action attachment --message-id <messageId> --out-dir /tmp/attachments

# Download a specific attachment
node {baseDir}/scripts/gmail.js --account <label> --action attachment --message-id <messageId> --attachment-id <id> --out-dir /tmp

# List labels
node {baseDir}/scripts/gmail.js --account <label> --action labels
```

Gmail search uses the same query syntax as the Gmail web search box (e.g., `is:unread`, `from:`, `newer_than:1d`, `has:attachment`).

### Reading PDF Attachments

The skill includes `mupdf` for extracting text from PDF attachments — useful for newsletters, invoices, school letters, etc. It handles multilingual text (Japanese, Chinese, etc.) well.

```bash
# 1. Download the attachment
mkdir -p /tmp/attachments
node {baseDir}/scripts/gmail.js --account <label> --action attachment --message-id <id> --out-dir /tmp/attachments

# 2. Extract text from the PDF
node --input-type=module -e "
import * as mupdf from '{baseDir}/scripts/node_modules/mupdf/dist/mupdf.js';
import fs from 'fs';
const data = fs.readFileSync('/tmp/attachments/filename.pdf');
const doc = mupdf.Document.openDocument(data, 'application/pdf');
for (let i = 0; i < doc.countPages(); i++) {
  const page = doc.loadPage(i);
  console.log(page.toStructuredText('preserve-whitespace').asText());
}
"
```

> **Note:** `mupdf` is an ESM module — use `node --input-type=module` with `import` syntax, not `require()`.

### Account Management

```bash
# List configured accounts
node {baseDir}/scripts/accounts.js --action list

# Check token status
node {baseDir}/scripts/accounts.js --action status --account <label>
```

## File Layout

```
~/.openclaw/google-workspace-byok/
├── credentials.json          # Your GCP OAuth credentials
└── tokens/
    ├── personal.json          # Token for "personal" account
    └── work.json              # Token for "work" account
```

## Troubleshooting

### `Error 403: access_denied` — "has not completed the Google verification process"
Your app is in **Testing** mode and the Google account isn't listed as a test user. Fix: **Google Auth Platform → Audience → Test users → Add** the email.

### `Error: invalid_grant`
The refresh token expired or was revoked. Re-run `node {baseDir}/scripts/auth.js --account <label>` to re-authorize.

### Tokens expire after 7 days
Apps in "Testing" publishing status issue tokens that expire after 7 days. Publish your app to "Production" for long-lived tokens. For personal Gmail (External user type), you can skip verification and just accept the "unverified app" warning.

### `Error: redirect_uri_mismatch`
Your credentials.json doesn't include `http://localhost` as a redirect URI. Edit your OAuth client in GCP Console → **Authorized redirect URIs** → add `http://localhost`.

### `npm install` fails or `mupdf` won't install
`mupdf` requires a C++ build toolchain on some platforms. If it fails, you can still use all other features — PDF text extraction is the only feature that requires it. Try: `npm install --ignore-scripts` to skip native compilation, then install `mupdf` separately if needed.