Gmail OAuth

通过 OAuth 访问 Gmail API 的授权、刷新与范围选择；勿将 refresh_token 写入仓库。

v1.0.0 kai-jar

作者 / 来源

skillhub

在来源站打开

登录后收藏登录后加入合集

安装方式

CLI 安装（推荐）

claw install shub-gmail-oauth

需要安装 CLAW CLI

手动下载安装

下载 ZIP 后解压到技能目录即可安装。若在桌面客户端 WebView中直接下载出现异常，本站会改为提示页 + 原始链接，请按页内说明操作。

下载 ZIP (shub-gmail-oauth-v1.0.0.zip)

触发指令

/gmail-oauth

跨平台安装指引

该技能声明兼容以下 1 个平台，将 ZIP 解压到对应目录即可被识别。

支持矩阵

Claude Code Coding Agent

macOS / Linux：~/.claude/skills/

Windows：%USERPROFILE%\.claude\skills\

unzip shub-gmail-oauth-v1.0.0.zip -d ~/.claude/skills/

目录不存在时请先 mkdir -p 创建；启用 Skill 后请重启对应 Agent 让配置生效。

使用指南

Gmail OAuth

围绕 Gmail OAuth：通过 OAuth 访问 Gmail API 的授权、刷新与范围选择；勿将 refresh_token 写入仓库。无需在每次任务前把零散英文说明手工拼进上下文，也减少与客户端默认行为脱节的试错；具体命令、钩子与 JSON 参数仍以 ZIP 包内 SKILL.md 为权威。下文结构与站内 MCP CLI 类专题稿相同：何时用、前置、流程、速查与故障。

何时使用

通过 OAuth 访问 Gmail API 的授权、刷新与范围选择
勿将 refresh_token 写入仓库
已获取本技能 ZIP，并准备在 Claude Code / OpenClaw 中按 SKILL.md 挂载。
希望用中文专题稿快速判断「该不该启用」，再深入英文 SKILL 查参数与边界。
需要与团队对齐同一套触发方式、目录约定或回调格式时。

前置条件

通用：可运行 Claude Code 或文档要求的客户端；有可读写的项目工作区（或 SKILL.md 指定的沙箱目录）。
权威细节：API Key / OAuth、钩子路径、环境变量以 ZIP 内 SKILL.md 为准。
OAuth：可完成浏览器授权或使用文档中的无头/自动化续期流程。

典型流程

从 ClawHub / 站内分发获取技能 ZIP，校验版本与校验和（若提供）。
阅读 SKILL.md 的安装段落：目录落点、客户端类型（Claude Code / OpenClaw / 脚本）。
跑通一次完整登录与心跳/续期路径，确认刷新失败时的告警渠道。
确认工作目录、权限边界与输出路径后，再处理多文件或长耗时任务。
需要回调 / Webhook / 通知时，按 SKILL.md 配置端点并在测试环境先验通。

与 ZIP / SKILL.md 的关系

站内专题稿与 MCP CLI 类 oss 稿同样：概括何时用、怎么接、怎么排错；命令模板、钩子名、JSON 字段、版本矩阵一律以 ZIP 内 SKILL.md 与 ClawHub 上游为准。

命令示例（摘自包内 SKILL.md）

以下为从上游 SKILL.md（或入库正文）自动抽取的终端/脚本片段；路径、环境变量与参数以当前 ZIP 与官方说明为准。

ClawHub slug：gmail-oauth（安装命令以 SKILL.md / claw CLI 为准）。

gog auth credentials /path/to/client_secret.json
gog auth keyring file  # Use file-based keyring for headless
export GOG_KEYRING_PASSWORD="your-password"  # Add to .bashrc

# Generate URL
scripts/gmail-auth.sh --url

# User opens URL, approves, copies code from localhost redirect
# Exchange code (do this quickly - codes expire in minutes!)
scripts/gmail-auth.sh --exchange CODE EMAIL

gog gmail search 'is:unread' --max 5 --account you@gmail.com

站内入库时的触发命令（完整语义见 ZIP）：

# 使用本技能时可在对话中引用或执行上述指令；完整参数与示例见下载包内 SKILL.md。
/gmail-oauth

最佳实践

先 SKILL.md 再猜参数；站内专题稿不替代 schema 与必填字段说明。
委派任务时写清验收标准（命令、文件路径、测试命令），减少来回追问。
长任务用文档推荐的回调 / 日志落盘代替高频轮询，省 Token 也省机器负载。
多技能同时启用时，注意钩子加载顺序与重复工具调用（以 SKILL.md 冲突说明为准）。

调试与排错

打开 stderr 与客户端日志；PTY/tmux 场景同时看面板最后几十行输出。
参数错误时对照 SKILL.md 中的 JSON/CLI 示例（引号、转义、工作目录）。
网络类失败：查代理、防火墙、MCP 传输方式（stdio / HTTP / SSE）。
OAuth：看令牌过期时间、浏览器自动化是否被拦截、刷新接口返回码。

速查

| 动作 | 说明 | |------|------| | 获取技能包 | ClawHub / 站内 ZIP，核对版本 | | 权威步骤 | 优先阅读 ZIP 内 SKILL.md | | 首次试跑 | 使用 SKILL.md 最小示例 | | 验收 | 对照路径、测试命令或回调负载 |

常见故障

无输出或立即退出 → 工作目录错误、依赖未装、或 Claude Code 未登录；按 SKILL.md 自检清单执行。
权限被拒绝 → 检查沙箱路径、--permission-mode 与工具白名单。
与简介不符 → 以英文 SKILL 与上游仓库为准，站内稿仅作结构化导读。
续期失败 → 浏览器会话、时钟偏差或刷新令牌吊销；走 SKILL.md 三层策略中的下一层。

# Gmail OAuth Setup

Headless-friendly OAuth flow for Gmail API access using `gog` CLI.

## Prerequisites

- `gog` CLI installed (`brew install steipete/tap/gogcli`)
- Google Cloud project with OAuth credentials (Desktop app type)
- Gmail API enabled in the project

## Quick Setup

### 1. Create Google Cloud Project & Credentials

1. Go to https://console.cloud.google.com
2. Create a new project (or select existing)
3. **Enable Gmail API**: APIs & Services → Library → search "Gmail API" → Enable
4. **Configure OAuth consent screen**: APIs & Services → OAuth consent screen
   - Choose "External" user type
   - Fill in app name, user support email
   - Add scopes: `gmail.modify` (or others as needed)
   - **Important**: Click "PUBLISH APP" for permanent tokens (see Troubleshooting)
5. **Create credentials**: APIs & Services → Credentials → Create Credentials → OAuth client ID
   - Application type: **Desktop app**
   - Download the JSON file

### 2. Configure gog

```bash
gog auth credentials /path/to/client_secret.json
gog auth keyring file  # Use file-based keyring for headless
export GOG_KEYRING_PASSWORD="your-password"  # Add to .bashrc
```

### 3. Run Auth Flow

Run `scripts/gmail-auth.sh` interactively, or:

```bash
# Generate URL
scripts/gmail-auth.sh --url

# User opens URL, approves, copies code from localhost redirect
# Exchange code (do this quickly - codes expire in minutes!)
scripts/gmail-auth.sh --exchange CODE EMAIL
```

### 4. Verify

```bash
gog gmail search 'is:unread' --max 5 --account you@gmail.com
```

## Troubleshooting

### "Access blocked: [app] has not completed the Google verification process"

**Cause**: App is in "Testing" mode and the Gmail account isn't a test user.

**Solutions** (choose one):
1. **Publish the app** (recommended):
   - Google Cloud Console → APIs & Services → OAuth consent screen
   - Click **"PUBLISH APP"** → Confirm
   - No Google review needed for personal use
   - Tokens become permanent

2. **Add test user**:
   - OAuth consent screen → Test users → + ADD USERS
   - Add the Gmail address you're authorizing
   - Tokens still expire in 7 days

### "Google hasn't verified this app" warning screen

**This is normal for personal apps.** Click:
1. **Advanced** (bottom left)
2. **Go to [app name] (unsafe)**

Safe to proceed since you own the app.

### Token expires in 7 days

**Cause**: App is in "Testing" mode.

**Fix**: Publish the app (see above). Published apps get permanent refresh tokens.

### "invalid_request" or "invalid_grant" errors

**Causes**:
- Authorization code expired (they only last a few minutes)
- Code was already used
- Redirect URI mismatch

**Fix**: Generate a fresh auth URL and complete the flow quickly. Paste the code immediately after getting it.

### "redirect_uri_mismatch" error

**Cause**: The redirect URI in the token exchange doesn't match what was used in the auth URL.

**Fix**: This script uses `http://localhost`. Make sure both the auth URL and exchange use the same redirect URI.

### Page hangs after approving permissions (mobile)

**Cause**: Browser trying to connect to localhost which doesn't exist on phone.

**Fix**: 
- Use a desktop browser instead
- Or tap the address bar while it's "hanging" - the URL contains the code
- The URL will look like: `http://localhost/?code=4/0ABC...`

### Multiple permission checkboxes causing hangs

**Cause**: Too many OAuth scopes requested.

**Fix**: Use minimal scopes. `gmail.modify` alone is usually sufficient and shows just one permission.

### Can't find project in Google Cloud Console

**Cause**: Signed into wrong Google account.

**Fix**: Check which account owns the project:
- Click profile icon (top right)
- Switch accounts
- Check project dropdown for each account

### "invalid_request" with oob redirect (new projects)

**Cause**: Google deprecated `urn:ietf:wg:oauth:2.0:oob` for OAuth clients created after 2022.

**Fix**: Use `http://localhost` redirect instead (this script's default). After approval, browser redirects to localhost with code in URL.

## Scopes Reference

| Scope | Access |
|-------|--------|
| `gmail.modify` | Read, send, delete, manage labels (recommended) |
| `gmail.readonly` | Read only |
| `gmail.send` | Send only |
| `gmail.compose` | Create drafts, send |

## Files

- `scripts/gmail-auth.sh` — Interactive auth helper

## Tips

- **Publish your app** — Avoids test user limits and 7-day token expiry
- **Exchange codes quickly** — They expire in minutes
- **Use desktop browser** — Mobile browsers can be finicky with localhost redirects
- **One scope is enough** — `gmail.modify` covers most use cases