ClawHub

Antigravity Bridge

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed local Markdown sync bridge, but users should review it because it can continuously copy and index sensitive local notes while its safety claims are stronger than the code enforces.

Install only if you intentionally want selected Antigravity/Gemini Markdown copied into OpenClaw and indexed. Run the dry run first, keep source paths narrow, avoid broad knowledge directories unless needed, check Markdown for secrets or private session notes, keep destination values as simple relative folder names, and enable cron only if continuous indexing is acceptable.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (5)

Tp4

High
Category
MCP Tool Poisoning
Confidence
89% confidence
Finding
The documentation makes strong safety claims that are broader than what the described behavior guarantees. In particular, allowing user-configured destination paths and syncing additional external 'knowledge' sources weakens the claim that data only flows from Antigravity project docs into a confined OpenClaw workspace subtree. This is dangerous because operators may trust the stated boundary and deploy the skill in ways that permit unintended writes or ingestion of sensitive markdown from outside the expected scope.

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
The script syncs optional `.knowledge` sources in addition to Antigravity project repositories, which exceeds the stated scope of a one-directional bridge from Antigravity projects. In a security-sensitive indexing pipeline, this broadens the trust boundary and allows arbitrary local directories to be ingested into the OpenClaw workspace, potentially exposing unintended internal documentation or sensitive markdown files.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The destination is computed as `"$WORKSPACE_DIR/$(expand_path "$dest_rel")"`, so if the config supplies an absolute path or a path containing traversal, the effective sync target can escape the OpenClaw workspace. That undermines the stated confinement of synced content and could overwrite or populate arbitrary user-accessible locations with mirrored documentation.

Intent-Code Divergence

Medium
Confidence
91% confidence
Finding
The header comment describes the tool as syncing only Antigravity/Gemini projects, but the implementation also processes separate `knowledge` sources. This kind of scope mismatch is dangerous because operators may approve or deploy the skill under a narrower data-flow assumption than what the code actually performs.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The guide explicitly recommends recurring synchronization of project markdown into another workspace and enabling indexing, but it does not warn users that documentation may contain sensitive internal data such as architecture notes, secrets accidentally committed to docs, incident writeups, or customer information. In this skill's context, the destination is a searchable memory/indexing system, which increases exposure by making copied content easier to discover and persist beyond the source repository.

VirusTotal

61/61 vendors flagged this skill as clean.

View on VirusTotal