Antigravity Image Generator
Security checks across malware telemetry and agentic risk
Overview
This image generator mostly matches its stated purpose, but it should be reviewed because it uses local Google OAuth credentials with an internal API, a deprecation-bypass header, and a hardcoded project fallback.
Install only if you trust the publisher and are comfortable with your local Google Antigravity OAuth token being used directly against an internal Google API. Check the script, confirm the intended projectId is present in your auth profile, and be aware that prompts are sent to Google and images are written to the chosen output path.
VirusTotal
65/65 vendors flagged this skill as clean.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Your account may be used against an unsupported or internal Google API path, which could cause reliability, quota, or account-policy issues.
The script calls a Google internal API endpoint directly and labels a client-header change as a way to bypass deprecation checks, which is more risky and less user-transparent than a normal supported API call.
const ENDPOINT = "https://daily-cloudcode-pa.sandbox.googleapis.com/v1internal:streamGenerateContent?alt=sse"; ... // IMPORTANT: Version bump to bypass deprecation checks
Use only if you understand and accept the internal API dependency; prefer an officially supported API path and remove any header manipulation intended to bypass provider checks.
Image-generation requests could be made with your OAuth token under an unexpected Google project or quota context.
The skill reads a local OAuth access token and, if the profile lacks a projectId, uses a hardcoded project ID that is not disclosed in the usage instructions.
const FALLBACK_PROJECT_ID = "junoai-465910"; ... token = auth.access; if (auth.projectId) projectId = auth.projectId; ... 'Authorization': `Bearer ${token}`Before using it, verify the auth profile has the intended Google Antigravity projectId, or modify the script to require an explicit project instead of using a hardcoded fallback.