v2.0.0

Antigravity Image Generator

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 4:56 AM.

Analysis

This image generator appears purpose-built, but it should be reviewed because it reads local Google OAuth credentials and calls an internal Google API using a hardcoded project fallback and headers meant to bypass deprecation checks.

GuidanceReview carefully before installing. Only use this with a Google Antigravity account/profile you are comfortable exposing to the script, confirm which project ID will be used, and prefer an official supported image-generation API if available.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation

SeverityMediumConfidenceHighStatusConcern

scripts/generate.js

const ENDPOINT = "https://daily-cloudcode-pa.sandbox.googleapis.com/v1internal:streamGenerateContent?alt=sse"; ... // IMPORTANT: Version bump to bypass deprecation checks ... 'User-Agent': 'antigravity/2.0.0 darwin/arm64'

The code calls an internal API endpoint and explicitly sets client headers to bypass deprecation checks, which is an unsafe provider/API escape-hatch behavior.

User impactYour account could be used against an unsupported or internal service path, which may break unexpectedly or have account, quota, or policy consequences.

RecommendationPrefer a documented supported API, or require clear user approval and documentation for any internal endpoint and deprecation-bypass behavior.

Agentic Supply Chain Vulnerabilities

SeverityLowConfidenceMediumStatusNote

metadata

Source: unknown; Homepage: none; Version: 2.0.0

The package has no public source or homepage, and the included _meta/origin files record version 1.0.0, creating provenance/version ambiguity around code that handles OAuth credentials.

User impactIt is harder to verify who authored the credential-handling script or whether the reviewed files match the intended release.

RecommendationVerify the publisher and version before installing, especially because this skill reads local OAuth tokens.

Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse

SeverityHighConfidenceHighStatusConcern

scripts/generate.js

const profiles = JSON.parse(fs.readFileSync(PROFILE_PATH, 'utf8')); ... const FALLBACK_PROJECT_ID = "junoai-465910"; ... token = auth.access; if (auth.projectId) projectId = auth.projectId;

The script reads the local auth profile, extracts a Google Antigravity OAuth access token, and falls back to a hardcoded project ID when the profile lacks one.

User impactThe skill can use your local Google OAuth session, and in some cases may send requests under a project ID you did not explicitly choose.

RecommendationUse only with a dedicated, least-privilege Antigravity profile; verify the project ID before use; and consider removing the hardcoded fallback or requiring explicit user selection.