ClawHub

Publish Antigravity Rotator

Security checks across malware telemetry and agentic risk

Overview

This skill has a real account-rotation purpose, but it exposes powerful account and session controls through an unauthenticated network dashboard and under-disclosed credential handling.

Install only if you intentionally want this skill to manage Antigravity account rotation and live session switching. Do not expose port 18090 to a LAN or the internet; bind it to localhost or put it behind authentication first. Back up OpenClaw auth profiles, review the cron entry before enabling it, use low-risk dedicated accounts where possible, and treat config.json and auth profile files as sensitive because the skill can refresh tokens and rewrite active account state.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (11)

Lp3

Medium
Category
MCP Least Privilege
Confidence
88% confidence
Finding
The skill advertises and instructs execution of actions that require shell, network, and environment access, yet it declares no permissions. This undermines informed consent and security review because operators cannot accurately assess the skill's effective privileges before running setup, dashboard, and rotation actions.

Tp4

High
Category
MCP Tool Poisoning
Confidence
96% confidence
Finding
The documented behavior materially understates sensitive operations: token refresh with stored refresh tokens, direct calls to Google APIs, credential-profile rewriting, unauthenticated dashboard exposure, account enumeration, subprocess triggering, and automatic warmup requests. This mismatch is dangerous because users may run a credential-handling and network-exposed automation tool without understanding it can modify local auth state and expose control surfaces remotely.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The dashboard binds an HTTP server to 0.0.0.0 and exposes state-changing API actions with no authentication, authorization, or CSRF protection. Any reachable client can remove accounts, rewrite model priority, sync credential-derived accounts, or trigger local process execution, which turns a monitoring panel into a remote administrative interface.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The dashboard directly mutates persistent configuration in response to HTTP API requests, including account list changes and model-priority rewrites. In combination with the exposed network listener and lack of auth, this allows remote tampering with operational behavior and persistence across restarts.

Context-Inappropriate Capability

Medium
Confidence
86% confidence
Finding
The code modifies PATH and executes shell commands via execSync, increasing the attack surface and making behavior depend on the host environment. In this skill context, account rotation does require invoking an external CLI, but doing so through shell interpolation and PATH manipulation is riskier than necessary and could enable command hijacking if configuration or environment values are influenced by an attacker.

Intent-Code Divergence

Medium
Confidence
98% confidence
Finding
The source hardcodes an OAuth client secret and default project identifier, exposing sensitive credentials to anyone with access to the code. Hardcoded secrets are easily reused, leaked, or abused for unauthorized token operations, especially in a tool that already handles refresh tokens and account switching.

Context-Inappropriate Capability

High
Confidence
95% confidence
Finding
This function directly exchanges stored refresh tokens for access tokens against Google's OAuth endpoint, which is a highly sensitive capability. In the context of a multi-account rotator, this materially increases risk because compromise of local profile data or command construction could lead to account takeover or unauthorized API access across all managed accounts.

Context-Inappropriate Capability

Medium
Confidence
81% confidence
Finding
The warmup routine creates additional sessions and sends messages automatically, going beyond simple model rotation into autonomous action on behalf of the user. This can consume quota, alter runtime state, and generate unintended external requests without a clear user prompt or necessity for the advertised functionality.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill instructs users to place OAuth client credentials and project identifiers into config.json without any guidance on secret handling, storage permissions, or safer alternatives. This increases the likelihood of credential leakage through source control, backups, logs, or overly permissive filesystem access, especially in an automation-focused workflow.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The code refreshes tokens, updates auth profile files, and writes status information without any user-facing disclosure or confirmation. Because these files appear to store access credentials and active-account state, silent modification increases the chance of credential misuse, accidental persistence of secrets, and unnoticed account switching.

Missing User Warnings

Medium
Confidence
85% confidence
Finding
The skill silently executes external commands to switch models and patch sessions, directly modifying runtime behavior without prior notice. In this context, that means the tool can alter live agent state and account selection unexpectedly, which is especially risky in automation environments where operators may not realize external subprocesses are being invoked.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal