Back to skill

Security audit

Antigravity Image Generator

Security checks across malware telemetry and agentic risk

Overview

The skill does what it advertises, but it uses local Google OAuth credentials and bypass-oriented request headers in a way users should review before installing.

Install only if you intentionally want generic image-generation requests to use your local Google Antigravity OAuth profile. Review which profile is in auth-profiles.json, whether you are comfortable sending prompts to the Google sandbox endpoint under your account, and whether the bypass-oriented headers are acceptable for your environment.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (7)

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill explicitly states it uses local OAuth credentials and its metadata requires auth profiles, yet it does not declare corresponding permissions. This creates a transparency and policy-enforcement gap: users or the platform may invoke a skill with access to sensitive authentication material without an explicit permission boundary or review signal.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The script derives a local auth-profile path from environment variables and reads OAuth credentials from disk, which expands the skill's privilege beyond simple image generation into local credential access. In the context of a user-invoked skill, silently harvesting local tokens is dangerous because it grants the code access to sensitive bearer credentials that can be reused for other Google-backed services.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The code deliberately sets impersonation and version-bypass headers, including a forged User-Agent and API client metadata, to appear as a different trusted client and evade deprecation or access checks. This is dangerous because it attempts to circumvent service controls and conceal the true origin of the request, behavior that is not necessary for normal image generation.

Intent-Code Divergence

Medium
Confidence
94% confidence
Finding
The file claims to use an internal 'Antigravity' image API but actually posts to a Cloud Code sandbox endpoint while masquerading as a different client context. This mismatch is a deception signal because it hides the real network target and makes it harder for users or reviewers to understand what service receives their prompts and credentials.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The activation phrases are very broad and match common user intents like generating images or visual content. This increases the chance the skill is auto-selected in situations where the user did not specifically intend to use an internal API-backed tool that consumes local OAuth credentials, potentially causing unintended credential use or API calls.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The script loads a bearer token from a local profile and transmits it over the network without explicit user consent, clear disclosure, or guardrails around which account and service are being used. In a skill advertised as image generation, this hidden credential use increases the chance that users unknowingly authorize sensitive account actions or data access.

Credential Access

High
Category
Privilege Escalation
Content
const auth = profiles.profiles[profileKey];

    if (!auth || !auth.access) {
        console.error("Error: No google-antigravity profile or access token found.");
        process.exit(1);
    }
Confidence
96% confidence
Finding
access token

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.