Antigravity Image Gen 1.0.0
PendingStatic analysis audit pending.
Overview
No static analysis result has been recorded yet. Pattern checks will appear here once the artifact has been analyzed.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing or using this skill gives it access to an existing Google Antigravity OAuth token and may consume quota or make requests under a project the user did not explicitly choose.
The script reads a local agent auth profile, extracts a Google Antigravity access token, and sends it as a bearer token. The registry metadata lists no primary credential and no required config paths, and the hard-coded fallback project ID makes project/account scope ambiguous.
const PROFILE_PATH = "/home/ubuntu/.clawdbot/agents/main/agent/auth-profiles.json"; ... const FALLBACK_PROJECT_ID = "junoai-465910"; ... token = auth.access; ... 'Authorization': `Bearer ${token}`Only use this if you trust the publisher and intend to let it use that Google Antigravity account. The skill should declare the credential/config path in metadata, avoid hard-coded fallback projects, and require clear user confirmation before using the token.
The API behavior may be unsupported, unstable, blocked, or associated with unexpected account/quota consequences.
The skill calls an internal Google endpoint directly and explicitly changes the User-Agent to bypass deprecation checks, which is a raw API escape-hatch rather than a clearly supported, scoped integration.
const ENDPOINT = "https://daily-cloudcode-pa.sandbox.googleapis.com/v1internal:streamGenerateContent?alt=sse"; ... // IMPORTANT: Version bump to bypass deprecation checks ... 'User-Agent': 'antigravity/2.0.0 darwin/arm64'
Prefer a documented, supported API path. If this endpoint is required, the skill should clearly disclose the unsupported/internal nature and remove bypass-style headers unless the provider explicitly requires them.
It is harder to verify who published the exact artifact, which matters because the skill uses account credentials.
The bundled metadata differs from the registry metadata, which lists a different owner ID and slug. Combined with source unknown and no homepage, this creates a provenance ambiguity.
"ownerId": "kn79jhh393p6ryrcqfgx3rvw5n802qpe", "slug": "antigravity-image-gen"
Verify the publisher and artifact provenance before installing, especially for skills that read local auth profiles.