ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Clawhub Publish 146230

v2.0.0

Generate images using the internal Google Antigravity API (Gemini 3 Pro Image). High quality, native generation without browser automation.

0· 243·0 current·0 all-time
by@gxw975
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description (Antigravity/Gemini image generation) aligns with required binary (node) and declared config path (auth.profiles). However the skill claims to call an internal Google sandbox endpoint (daily-cloudcode-pa.sandbox) — acceptable for an internal tool but unusual for a third‑party skill with unknown source and no homepage.
!
Instruction Scope
SKILL.md instructs running /home/ubuntu/clawd/skills/antigravity-image-gen/scripts/generate.js and explicitly states it will read local OAuth tokens from auth-profiles.json. But this skill bundle contains no code files (only SKILL.md and _meta.json) — the referenced script is missing. Instructions also encourage using sensitive local OAuth credentials to access an internal endpoint, which increases risk if the actual script behaves differently.
Install Mechanism
No install spec (instruction-only), so nothing is written to disk by the skill installer itself. This is low-risk from an install mechanism perspective.
Credentials
The only declared config requirement is auth.profiles, which matches the instructions' stated need to read OAuth tokens. Reading OAuth credentials is sensitive but can be proportionate for an image-generation client that authenticates to an API. Still, the skill requests access to local OAuth tokens but provides no code to review, so the sensitivity is elevated.
Persistence & Privilege
The skill does not set always:true and does not request persistent system-wide privileges. Autonomous invocation is enabled by default, which is normal but should be considered along with the other concerns.
What to consider before installing
Proceed cautiously. The SKILL.md says it will read your local Google OAuth profile and call an internal/sandbox Google endpoint, but the skill package contains no script code (the generate.js it references is missing) and the source is unknown. Before installing or using it: 1) ask the publisher for the actual script/source and review it so you can confirm it only uses your tokens to call the expected Google API; 2) verify which auth.profiles file it will read and avoid using high‑privilege or production credentials (use a limited sandbox account if possible); 3) if you cannot review the code, run it in an isolated environment or decline installation; and 4) prefer skills with verifiable source/homepage and included code or official provider plugins.

Like a lobster shell, security has layers — review code before you run it.

latestvk978b2cdw20cjbmpzngytdzt8h82vben

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🎨 Clawdis
Binsnode
Configauth.profiles

Comments