Antigravity Image Gen 1.0.0
WarnAudited by ClawScan on May 10, 2026.
Overview
The skill appears to generate images as advertised, but it uses a local Google Antigravity OAuth token and an internal Google endpoint with deprecation-bypass behavior that users should review carefully.
Review this skill before installing. It is not just a local image generator: it reads your local Google Antigravity OAuth profile and calls an internal Google endpoint. Use it only if you trust the publisher, are comfortable with your prompt and account token being used for that endpoint, and understand that the integration may be unsupported or unstable.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing or using this skill gives it access to an existing Google Antigravity OAuth token and may consume quota or make requests under a project the user did not explicitly choose.
The script reads a local agent auth profile, extracts a Google Antigravity access token, and sends it as a bearer token. The registry metadata lists no primary credential and no required config paths, and the hard-coded fallback project ID makes project/account scope ambiguous.
const PROFILE_PATH = "/home/ubuntu/.clawdbot/agents/main/agent/auth-profiles.json"; ... const FALLBACK_PROJECT_ID = "junoai-465910"; ... token = auth.access; ... 'Authorization': `Bearer ${token}`Only use this if you trust the publisher and intend to let it use that Google Antigravity account. The skill should declare the credential/config path in metadata, avoid hard-coded fallback projects, and require clear user confirmation before using the token.
The API behavior may be unsupported, unstable, blocked, or associated with unexpected account/quota consequences.
The skill calls an internal Google endpoint directly and explicitly changes the User-Agent to bypass deprecation checks, which is a raw API escape-hatch rather than a clearly supported, scoped integration.
const ENDPOINT = "https://daily-cloudcode-pa.sandbox.googleapis.com/v1internal:streamGenerateContent?alt=sse"; ... // IMPORTANT: Version bump to bypass deprecation checks ... 'User-Agent': 'antigravity/2.0.0 darwin/arm64'
Prefer a documented, supported API path. If this endpoint is required, the skill should clearly disclose the unsupported/internal nature and remove bypass-style headers unless the provider explicitly requires them.
It is harder to verify who published the exact artifact, which matters because the skill uses account credentials.
The bundled metadata differs from the registry metadata, which lists a different owner ID and slug. Combined with source unknown and no homepage, this creates a provenance ambiguity.
"ownerId": "kn79jhh393p6ryrcqfgx3rvw5n802qpe", "slug": "antigravity-image-gen"
Verify the publisher and artifact provenance before installing, especially for skills that read local auth profiles.