Google Workspace Admin
低风险
作者:byungkyu | 审计时间:2026-02-26T09:59:20.936Z | 规则集:0.2.0
技能介绍
Access the Google Workspace Admin SDK with managed OAuth authentication. Manage users, groups, organizational units, roles, and domain settings for Google Workspace.
✨
customer - Customer ID or my_customer for your domain (required) ✨
domain - Filter by specific domain ✨
maxResults - Maximum results per page (1-500, default 100) ✨
orderBy - Sort by email, familyName, or givenName ✨
query - Search query (e.g., email:john*, name:John*) ✨
pageToken - Token for pagination 使用场景
文档(原文)
来源:SKILL.md 以下为作者原文(通常为英文)。安装请以页面顶部“快速安装”为准。
name: google-workspace-admin
description: |
Google Workspace Admin SDK integration with managed OAuth. Manage users, groups, organizational units, and domain settings. Use this skill when users want to administer Google Workspace. For other third party apps, use the api-gateway skill (https://clawhub.ai/byungkyu/api-gateway).
compatibility: Requires network access and valid Maton API key
metadata:
author: maton
version: "1.0"
clawdbot:
emoji: 🧠
homepage: "https://maton.ai"
requires:
env:
- MATON_API_KEY
Google Workspace Admin
Access the Google Workspace Admin SDK with managed OAuth authentication. Manage users, groups, organizational units, roles, and domain settings for Google Workspace.
Quick Start
# List users in the domain
python <<'EOF'
import urllib.request, os, json
req = urllib.request.Request('https://gateway.maton.ai/google-workspace-admin/admin/directory/v1/users?customer=my_customer&maxResults=10')
req.add_header('Authorization', f'Bearer {os.environ["MATON_API_KEY"]}')
print(json.dumps(json.load(urllib.request.urlopen(req)), indent=2))
EOF
Base URL
https://gateway.maton.ai/google-workspace-admin/{native-api-path}
Replace {native-api-path} with the actual Admin SDK API endpoint path. The gateway proxies requests to admin.googleapis.com and automatically injects your OAuth token.
Authentication
All requests require the Maton API key in the Authorization header:
Authorization: Bearer $MATON_API_KEY
Environment Variable: Set your API key as MATON_API_KEY:
export MATON_API_KEY="YOUR_API_KEY"
Getting Your API Key
- Sign in or create an account at maton.ai
- Go to maton.ai/settings
- Copy your API key
Connection Management
Manage your Google OAuth connections at https://ctrl.maton.ai.
List Connections
python <<'EOF'
import urllib.request, os, json
req = urllib.request.Request('https://ctrl.maton.ai/connections?app=google-workspace-admin&status=ACTIVE')
req.add_header('Authorization', f'Bearer {os.environ["MATON_API_KEY"]}')
print(json.dumps(json.load(urllib.request.urlopen(req)), indent=2))
EOF
Create Connection
python <<'EOF'
import urllib.request, os, json
data = json.dumps({'app': 'google-workspace-admin'}).encode()
req = urllib.request.Request('https://ctrl.maton.ai/connections', data=data, method='POST')
req.add_header('Authorization', f'Bearer {os.environ["MATON_API_KEY"]}')
req.add_header('Content-Type', 'application/json')
print(json.dumps(json.load(urllib.request.urlopen(req)), indent=2))
EOF
Get Connection
python <<'EOF'
import urllib.request, os, json
req = urllib.request.Request('https://ctrl.maton.ai/connections/{connection_id}')
req.add_header('Authorization', f'Bearer {os.environ["MATON_API_KEY"]}')
print(json.dumps(json.load(urllib.request.urlopen(req)), indent=2))
EOF
Response:
{
"connection": {
"connection_id": "21fd90f9-5935-43cd-b6c8-bde9d915ca80",
"status": "ACTIVE",
"creation_time": "2025-12-08T07:20:53.488460Z",
"last_updated_time": "2026-01-31T20:03:32.593153Z",
"url": "https://connect.maton.ai/?session_token=...",
"app": "google-workspace-admin",
"metadata": {}
}
}
Open the returned url in a browser to complete OAuth authorization.
Delete Connection
python <<'EOF'
import urllib.request, os, json
req = urllib.request.Request('https://ctrl.maton.ai/connections/{connection_id}', method='DELETE')
req.add_header('Authorization', f'Bearer {os.environ["MATON_API_KEY"]}')
print(json.dumps(json.load(urllib.request.urlopen(req)), indent=2))
EOF
Specifying Connection
If you have multiple Google Workspace Admin connections, specify which one to use with the Maton-Connection header:
python <<'EOF'
import urllib.request, os, json
req = urllib.request.Request('https://gateway.maton.ai/google-workspace-admin/admin/directory/v1/users?customer=my_customer')
req.add_header('Authorization', f'Bearer {os.environ["MATON_API_KEY"]}')
req.add_header('Maton-Connection', '21fd90f9-5935-43cd-b6c8-bde9d915ca80')
print(json.dumps(json.load(urllib.request.urlopen(req)), indent=2))
EOF
If omitted, the gateway uses the default (oldest) active connection.
API Reference
Users
List Users
GET /google-workspace-admin/admin/directory/v1/users?customer=my_customer&maxResults=100
Query parameters:
customer- Customer ID ormy_customerfor your domain (required)domain- Filter by specific domainmaxResults- Maximum results per page (1-500, default 100)orderBy- Sort byemail,familyName, orgivenNamequery- Search query (e.g.,email:john*,name:John*)pageToken- Token for pagination
Example:
python <<'EOF'
import urllib.request, os, json
req = urllib.request.Request('https://gateway.maton.ai/google-workspace-admin/admin/directory/v1/users?customer=my_customer&query=email:john*')
req.add_header('Authorization', f'Bearer {os.environ["MATON_API_KEY"]}')
print(json.dumps(json.load(urllib.request.urlopen(req)), indent=2))
EOF
Response:
{
"kind": "admin#directory#users",
"users": [
{
"id": "123456789",
"primaryEmail": "john@example.com",
"name": {
"givenName": "John",
"familyName": "Doe",
"fullName": "John Doe"
},
"isAdmin": false,
"isDelegatedAdmin": false,
"suspended": false,
"creationTime": "2024-01-15T10:30:00.000Z",
"lastLoginTime": "2025-02-01T08:00:00.000Z",
"orgUnitPath": "/Sales"
}
],
"nextPageToken": "..."
}
Get User
GET /google-workspace-admin/admin/directory/v1/users/{userKey}
userKey can be the user's primary email or unique user ID.
Create User
POST /google-workspace-admin/admin/directory/v1/users
Content-Type: application/json
{
"primaryEmail": "newuser@example.com",
"name": {
"givenName": "Jane",
"familyName": "Smith"
},
"password": "temporaryPassword123!",
"changePasswordAtNextLogin": true,
"orgUnitPath": "/Engineering"
}
Update User
PUT /google-workspace-admin/admin/directory/v1/users/{userKey}
Content-Type: application/json
{
"name": {
"givenName": "Jane",
"familyName": "Smith-Johnson"
},
"suspended": false,
"orgUnitPath": "/Sales"
}
Patch User (partial update)
PATCH /google-workspace-admin/admin/directory/v1/users/{userKey}
Content-Type: application/json
{
"suspended": true
}
Delete User
DELETE /google-workspace-admin/admin/directory/v1/users/{userKey}
Make User Admin
POST /google-workspace-admin/admin/directory/v1/users/{userKey}/makeAdmin
Content-Type: application/json
{
"status": true
}
Groups
List Groups
GET /google-workspace-admin/admin/directory/v1/groups?customer=my_customer
Query parameters:
customer- Customer ID ormy_customer(required)domain- Filter by domainmaxResults- Maximum results (1-200)userKey- List groups for a specific user
Get Group
GET /google-workspace-admin/admin/directory/v1/groups/{groupKey}
groupKey can be the group's email or unique ID.
Create Group
POST /google-workspace-admin/admin/directory/v1/groups
Content-Type: application/json
{
"email": "engineering@example.com",
"name": "Engineering Team",
"description": "All engineering staff"
}
Update Group
PUT /google-workspace-admin/admin/directory/v1/groups/{groupKey}
Content-Type: application/json
{
"name": "Engineering Department",
"description": "Updated description"
}
Delete Group
DELETE /google-workspace-admin/admin/directory/v1/groups/{groupKey}
Group Members
List Members
GET /google-workspace-admin/admin/directory/v1/groups/{groupKey}/members
Add Member
POST /google-workspace-admin/admin/directory/v1/groups/{groupKey}/members
Content-Type: application/json
{
"email": "user@example.com",
"role": "MEMBER"
}
Roles: OWNER, MANAGER, MEMBER
Update Member Role
PATCH /google-workspace-admin/admin/directory/v1/groups/{groupKey}/members/{memberKey}
Content-Type: application/json
{
"role": "MANAGER"
}
Remove Member
DELETE /google-workspace-admin/admin/directory/v1/groups/{groupKey}/members/{memberKey}
Organizational Units
List Org Units
GET /google-workspace-admin/admin/directory/v1/customer/my_customer/orgunits
Query parameters:
type-all(default) orchildrenorgUnitPath- Parent org unit path
Get Org Unit
GET /google-workspace-admin/admin/directory/v1/customer/my_customer/orgunits/{orgUnitPath}
Create Org Unit
POST /google-workspace-admin/admin/directory/v1/customer/my_customer/orgunits
Content-Type: application/json
{
"name": "Engineering",
"parentOrgUnitPath": "/",
"description": "Engineering department"
}
Update Org Unit
PUT /google-workspace-admin/admin/directory/v1/customer/my_customer/orgunits/{orgUnitPath}
Content-Type: application/json
{
"description": "Updated description"
}
Delete Org Unit
DELETE /google-workspace-admin/admin/directory/v1/customer/my_customer/orgunits/{orgUnitPath}
Domains
List Domains
GET /google-workspace-admin/admin/directory/v1/customer/my_customer/domains
Get Domain
GET /google-workspace-admin/admin/directory/v1/customer/my_customer/domains/{domainName}
Roles
List Roles
GET /google-workspace-admin/admin/directory/v1/customer/my_customer/roles
List Role Assignments
GET /google-workspace-admin/admin/directory/v1/customer/my_customer/roleassignments
Query parameters:
userKey- Filter by userroleId- Filter by role
Create Role Assignment
POST /google-workspace-admin/admin/directory/v1/customer/my_customer/roleassignments
Content-Type: application/json
{
"roleId": "123456789",
"assignedTo": "user_id",
"scopeType": "CUSTOMER"
}
Code Examples
JavaScript
const headers = {
'Authorization': `Bearer ${process.env.MATON_API_KEY}`
};
// List users
const users = await fetch(
'https://gateway.maton.ai/google-workspace-admin/admin/directory/v1/users?customer=my_customer',
{ headers }
).then(r => r.json());
// Create user
await fetch(
'https://gateway.maton.ai/google-workspace-admin/admin/directory/v1/users',
{
method: 'POST',
headers: { ...headers, 'Content-Type': 'application/json' },
body: JSON.stringify({
primaryEmail: 'newuser@example.com',
name: { givenName: 'New', familyName: 'User' },
password: 'TempPass123!',
changePasswordAtNextLogin: true
})
}
);
Python
import os
import requests
headers = {'Authorization': f'Bearer {os.environ["MATON_API_KEY"]}'}
# List users
users = requests.get(
'https://gateway.maton.ai/google-workspace-admin/admin/directory/v1/users',
headers=headers,
params={'customer': 'my_customer'}
).json()
# Create user
response = requests.post(
'https://gateway.maton.ai/google-workspace-admin/admin/directory/v1/users',
headers=headers,
json={
'primaryEmail': 'newuser@example.com',
'name': {'givenName': 'New', 'familyName': 'User'},
'password': 'TempPass123!',
'changePasswordAtNextLogin': True
}
)
Notes
- Use
my_customeras the customer ID for your own domain - User keys can be primary email or unique user ID
- Group keys can be group email or unique group ID
- Org unit paths start with
/(e.g.,/Engineering/Frontend) - Admin privileges are required for most operations
- Password must meet Google's complexity requirements
- IMPORTANT: When using curl commands, use
curl -gwhen URLs contain brackets (fields[],sort[],records[]) to disable glob parsing - IMPORTANT: When piping curl output to
jqor other commands, environment variables like$MATON_API_KEYmay not expand correctly in some shell environments. You may get "Invalid API key" errors when piping.
Error Handling
| Status | Meaning |
|---|---|
| 400 | Missing Google Workspace Admin connection |
| 401 | Invalid or missing Maton API key |
| 403 | Insufficient admin privileges |
| 404 | User, group, or resource not found |
| 429 | Rate limited (10 req/sec per account) |
| 4xx/5xx | Passthrough error from Admin SDK API |
Troubleshooting: API Key Issues
- Check that the
MATON_API_KEYenvironment variable is set:
echo $MATON_API_KEY
- Verify the API key is valid by listing connections:
python <<'EOF'
import urllib.request, os, json
req = urllib.request.Request('https://ctrl.maton.ai/connections')
req.add_header('Authorization', f'Bearer {os.environ["MATON_API_KEY"]}')
print(json.dumps(json.load(urllib.request.urlopen(req)), indent=2))
EOF
Troubleshooting: Invalid App Name
- Ensure your URL path starts with
google-workspace-admin. For example:
- Correct:
https://gateway.maton.ai/google-workspace-admin/admin/directory/v1/users?customer=my_customer - Incorrect:
https://gateway.maton.ai/admin/directory/v1/users?customer=my_customer
Resources
安全审计
低风险
摘要
Google Workspace Admin SDK integration with managed OAuth. Manage users, groups, organizational units, and domain settings. Use this skill when users want to administer Google Workspace. For other third party apps, use the api-gateway skill (https://clawhub.ai/byungkyu/api-gateway).
风险画像
ToxicSkills 分析
黑名单
未命中
提示词注入
未检测到
当前静态检测未发现 Toxic 信号。
关键风险 0 项
暂无 LLM 风险要点(LLM 未启用或无缓存)。
确定性发现(证据)
未检测到发现。
评分标准
每个技能从 5 个维度评分,加权总分决定星级。
代码毒性 100/100 (权重 30%)
隐私风险 100/100 (权重 25%)
权限范围 100/100 (权重 20%)
作者声誉 75/100 (权重 15%)
代码质量 70/100 (权重 10%)
星级说明
5★ 安全 — 总分 ≥ 80
4★ 良好 — 总分 70–79
3★ 注意 — 总分 60–69
2★ 有风险 — 总分 40–59
1★ 危险 — 总分 < 40
为何是这个评分?
所有维度均高于 60 分,该技能通过安全基线。