Feature: Migrate Google Workspace Skill to Official Google Workspace CLI (gws)

[teknium1]

Overview

Google has released an official CLI for Google Workspace — @googleworkspace/cli (binary name: gws). Written in Rust, it dynamically generates its entire command surface from Google's Discovery Service, giving it automatic access to every Google Workspace API. Released March 2, 2026 by Justin Poehnelt (Google Workspace DevRel).

Our current google-workspace skill uses ~750 lines of custom Python scripts wrapping google-api-python-client. It covers 6 services with limited operations. The gws CLI gives us comprehensive access to ALL 25+ Workspace APIs, 730 MCP tools, cross-service workflows, and helper commands — all with zero maintenance on our side.

Hands-on testing confirmed: gws is ready for integration. See testing comment for full results.

---

Research Findings

How gws Works

Dynamic command generation from Google's Discovery Service — never goes stale:

gws <service> <resource> [sub-resource] <method> [flags]

Helper commands (agent-optimized):

gws gmail +send --to user@example.com --subject "Hello" --body "Hi!"
gws gmail +triage                                    # Unread inbox summary
gws drive +upload ./report.pdf                       # Upload with auto metadata
gws calendar +insert --summary "Meeting" --start ... --end ...
gws calendar +agenda                                 # Upcoming events
gws sheets +read SHEET_ID "Sheet1!A1:D10"
gws docs +write DOC_ID --text "..."
gws workflow +standup-report                         # Cross-service workflow

Built-in MCP server (730 tools for all services):

gws mcp -s gmail,drive,calendar,sheets,docs -e -w

Key features:

• Schema introspection: gws schema drive.files.list
• Dry-run validation: --dry-run
• Output formats: JSON, table, YAML, CSV
• Auto-pagination: --page-all
• File upload/download support
• Model Armor integration for prompt injection protection

Maturity Assessment

Factor	Status
Version	0.3.4 (pre-1.0)
Stars	~2,000 (in 3 days)
Core stability	Auth + execution engine are mature (yup-oauth2, reqwest)
npm on Linux x64	Broken (#86) — use cargo install
License	Apache-2.0 ✅
Disclaimer	"Not an officially supported Google product"

---

Current State in Hermes Agent

Existing skill: skills/productivity/google-workspace/ — Python scripts (~750 lines), 6 services, limited operations.

Coverage gap is massive:

Feature	Current Python Skill	gws CLI
Gmail	6 commands	40+ methods + helpers
Calendar	3 commands	20+ methods + helpers
Drive	Search only	15+ methods + upload
Sheets	3 commands	Full API + helpers
Docs	Read only	Full API + write
Slides, Tasks, Keep, Meet, Chat, Forms, Admin...	❌	Full API (25+ services)
Cross-service workflows	❌	5 built-in
MCP server	❌	730 tools
Schema introspection	❌	✅

---

Implementation Plan

Classification

This remains a bundled skill (not a tool). Per CONTRIBUTING.md:

• Wraps an external CLI (gws) that the agent calls via terminal
• Google Workspace is broadly useful to most users
• No custom Python integration needed in the agent harness

Phase 1: gws-Backed Skill (Target: This Month)

Goal: Replace Python scripts with gws commands in the skill, keeping our auth flow.

1. Install gws — Add to skill setup: cargo install gws or download prebuilt binary (once Linux npm is fixed)

2. Auth bridge — Keep our existing setup.py OAuth flow (works on CLI, Telegram, Discord, headless):

   • User does OAuth via our redirect-to-localhost:1-copy-URL-back flow
   • After auth, export credentials in gws-compatible format:

     {"client_id": "...", "client_secret": "...", "refresh_token": "..."}

   • Set GOOGLE_WORKSPACE_CLI_CREDENTIALS_FILE to point to this file
   • gws handles token refresh from there

3. Rewrite SKILL.md — Replace $GAPI Python commands with gws commands:

   # Old
   $GAPI gmail search "is:unread" --max 10
   # New
   gws gmail +triage --max 10 --query "is:unread"
   
   # Old
   $GAPI gmail send --to user@example.com --subject "Hello" --body "Hi"
   # New
   gws gmail +send --to user@example.com --subject "Hello" --body "Hi"
   
   # Old
   $GAPI calendar list
   # New
   gws calendar +agenda
   
   # Old (didn't exist!)
   # New
   gws drive +upload ./file.pdf
   gws workflow +standup-report
   gws tasks tasks list --params '{"tasklist": "@default"}'

4. Expand coverage — Add sections for Slides, Tasks, Keep, Forms, etc. (trivial since gws already supports them)

5. Remove Python scripts — Delete scripts/google_api.py (~486 lines). Keep scripts/setup.py for auth bridge.

Deliverables:

• Updated SKILL.md with gws commands
• Modified setup.py to also export gws-compatible credentials
• Removed google_api.py
• Added gws install instructions

Phase 2: MCP Integration (Future)

Goal: Use gws as an MCP server for native tool-level Google API access.

1. Add gws MCP server to ~/.hermes/config.yaml:

   mcp_servers:
     google-workspace:
       command: gws
       args: [mcp, -s, gmail,drive,calendar,sheets,docs, -e, -w]
       env:
         GOOGLE_WORKSPACE_CLI_CREDENTIALS_FILE: ~/.hermes/google_credentials.json

2. This gives the agent direct tool access to 137+ Google API operations without going through terminal

3. The skill would shift from "how to use gws CLI" to "when to use which Google Workspace MCP tools"

Benefits:

• No terminal parsing — structured JSON in/out
• Parallel tool calls to multiple Google APIs
• Richer error handling via MCP protocol

Phase 3: Full Ecosystem (Future)

• Evaluate gws's recipe skills for complex workflows
• Consider supporting gws auth setup when gcloud is available (faster setup for users who have it)
• Monitor for gws v1.0 — may simplify auth story

---

Pros & Cons

Pros

• 10x API coverage — 730 tools vs ~15 commands
• Zero maintenance — Discovery-based, auto-updates with Google APIs
• Better security — AES-256-GCM encrypted credentials
• Agent-optimized — Helper commands, workflows, Model Armor
• MCP server — Direct path to native Hermes MCP integration
• Single binary — No Python dependency chain

Cons / Risks

• Pre-1.0 — Breaking changes possible (our skill layer absorbs these)
• Linux npm broken — Must use cargo install for now
• "Not officially supported" — Could lose maintenance (but it's Apache-2.0, we can fork)
• Auth UX on headless — gws auth login requires browser on same machine; mitigated by keeping our auth bridge
• Cargo dependency — Users need Rust toolchain or wait for npm fix

---

Open Questions

1. Binary distribution: Wait for npm Linux fix, or ship a prebuilt binary? Or require cargo?
2. MCP vs CLI: Start with CLI (Phase 1) and add MCP later, or go directly to MCP?
3. Scopes: gws requests broad scopes by default. Should we match our current scope set or go broader?
4. Auth migration: For users with existing google_token.json, auto-convert to gws format?

---

References

• googleworkspace/cli
• gws issue #86 — Linux x64 npm
• skills.sh — Agent Skills Directory
• Hands-on testing results

[teknium1]

Hands-On Testing Results (March 4, 2026)

Installation

• npm on Linux x64: BROKEN (confirmed — issue feat: Add Turkish Code Analyzer Agent #86 in their repo)
• cargo install: WORKS — built from source in 22 seconds with Rust 1.93.1. Binary at ~/.cargo/bin/gws (v0.3.4)
• Binary size: single Rust binary, no runtime dependencies

CLI UX — Excellent

Help output is comprehensive and well-structured. Every service, resource, and method is documented with descriptions pulled from Google's Discovery Service.

Helper commands (+ prefix) are the killer feature for agent use:

gws gmail +send --to alice@example.com --subject "Hello" --body "Hi!"
gws gmail +triage                        # Unread inbox summary
gws gmail +watch                         # Stream new emails as NDJSON
gws drive +upload ./report.pdf           # Upload with auto metadata
gws calendar +insert --summary "Meeting" --start ... --end ...
gws calendar +agenda                     # Upcoming events
gws sheets +read SHEET_ID "Sheet1!A1:D10"
gws sheets +append SHEET_ID "Sheet1!A:C" --values ...
gws docs +write DOC_ID --text "..."      # Append to doc

Cross-service workflows are very cool:

gws workflow +standup-report             # Today's meetings + open tasks
gws workflow +meeting-prep               # Next meeting: attendees, docs
gws workflow +email-to-task --message-id MSG_ID  # Gmail → Tasks
gws workflow +weekly-digest              # Weekly summary
gws workflow +file-announce              # Share Drive file in Chat

Dry-run mode works for raw API calls:

$ gws drive files list --params '{"pageSize": 5}' --dry-run
{
  "body": null,
  "dry_run": true,
  "method": "GET",
  "url": "https://www.googleapis.com/drive/v3/files",
  "query_params": {"pageSize": "5"}
}

Schema introspection — gws schema drive.files.list shows full API documentation with every parameter, type, and description. Extremely useful for the agent to self-discover API capabilities.

Output formats: JSON (default), table, YAML, CSV — all work.

MCP Server — Works, Massively Comprehensive

Tested the built-in MCP server with JSON-RPC over stdio:

gws mcp -s gmail,drive -e    # 137 tools for just Gmail + Drive
gws mcp -s all -e -w         # 730 tools for ALL services

730 MCP tools covering every Google Workspace API method. Each tool is properly typed with inputSchema and description. The tool naming convention is clear: service_resource_method (e.g., drive_files_list, gmail_users_messages_send).

This is a direct path to native Hermes MCP integration via our existing MCP support in tools/mcp_tool.py.

Authentication — Works But Has a Platform Problem

Auth flow options tested:

1. gws auth setup — Requires gcloud CLI (not installed on our server). Automates GCP project creation. Not ideal for us.

2. gws auth login — Works with env vars GOOGLE_WORKSPACE_CLI_CLIENT_ID + GOOGLE_WORKSPACE_CLI_CLIENT_SECRET. Prints OAuth URL and starts a loopback HTTP server on a random port.

3. GOOGLE_WORKSPACE_CLI_TOKEN env var — Bypasses all auth, uses raw access token directly.

4. GOOGLE_WORKSPACE_CLI_CREDENTIALS_FILE — Points to a JSON file with client_id, client_secret, refresh_token.

⚠️ Critical issue for Hermes: The gws auth login flow starts a localhost HTTP server and waits for the OAuth redirect. This only works when the user has browser access on the same machine as the agent. For our use cases (Telegram, Discord, SSH, headless), the user's browser redirects to THEIR localhost, not the agent's server. This is a dealbreaker for gws auth login.

Solution: Our current setup.py auth flow (redirect to localhost:1, user copies URL back) works across ALL platforms. We can:

1. Keep our existing setup.py for the OAuth flow
2. Export credentials in gws-compatible format ({"client_id": "...", "client_secret": "...", "refresh_token": "..."})
3. Set GOOGLE_WORKSPACE_CLI_CREDENTIALS_FILE to point to those creds
4. Use gws for all actual API operations

The credential formats are compatible — our google_token.json contains the same fields gws needs (client_id, client_secret, refresh_token).

Error Handling — Good

Clear, JSON-formatted errors with actionable suggestions:

{
  "error": {
    "code": 401,
    "message": "Access denied. No credentials provided. Run `gws auth login`...",
    "reason": "authError"
  }
}

Service Coverage Comparison (Confirmed)

Feature	Our Python scripts	gws CLI
Gmail operations	6 commands	40+ methods + helpers
Calendar operations	3 commands	20+ methods + helpers
Drive operations	1 command (search only)	15+ methods + upload helper
Sheets operations	3 commands	Full API + helpers
Docs operations	1 command (read only)	Full API + write helper
Slides	❌	Full API
Tasks	❌	Full API
Keep, Meet, Chat, Forms, Admin...	❌	Full API (20+ services)
Cross-service workflows	❌	5 built-in workflows
MCP server	❌	730 tools
Schema introspection	❌	Full API docs on demand
Dry-run validation	❌	✅
Output formats	JSON only	JSON, table, YAML, CSV

Verdict

gws is production-quality for the CLI and MCP layers. The help, error messages, output formats, and helper commands are excellent. The only blocker is the auth flow for headless/remote platforms — but that's easily solved by keeping our existing auth and bridging credentials.

Recommendation: Proceed with migration. Despite being v0.3.4, the core functionality is solid. The pre-1.0 instability concerns are mostly about CLI flag names and API surface changes (which our skill layer absorbs anyway). The auth and execution engine are mature (uses battle-tested yup-oauth2 and reqwest).

[HenryQW]

So when is this happening?

[teknium1]

Already completed