OpenClaw Antigravity Sync Skill
PassAudited by ClawScan on May 10, 2026.
Overview
The skill appears to do what it claims—use your Google Antigravity login to update OpenClaw model settings—but it does make persistent configuration changes that users should review.
Before installing or running, confirm you trust the skill source, make sure it should use your Google Antigravity auth profile, and inspect the backup/diff of ~/.openclaw/openclaw.json after syncing.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Running the skill lets it act with your existing Google Antigravity/OpenClaw authentication for the model-discovery request.
The script reads a local OpenClaw auth profile and uses the Google Antigravity access token. This is expected for fetching account-specific models/quotas, and the token is sent only to the disclosed Google endpoint in the provided code.
const AUTH_PROFILES_PATH = path.join(CONFIG_DIR, 'agents/main/agent/auth-profiles.json'); ... return { token: profile.access, projectId: profile.projectId };Run it only for the intended Google/OpenClaw account, and revoke or refresh the auth profile if you no longer trust the skill.
Future OpenClaw sessions or agents may use a different Google Antigravity model after the sync.
The script updates the persistent OpenClaw configuration and may change the default model used by future agent runs. This matches the skill purpose and it creates a backup, but the effect persists beyond the current command.
config.models.providers["google-antigravity"].models = modelDefinitions; ... config.agents.defaults.model.primary = fullId; ... fs.writeFileSync(OPENCLAW_JSON_PATH, JSON.stringify(config, null, 2));
Review the generated ~/.openclaw/openclaw.json changes and keep the .bak backup until you confirm the new defaults are correct.
It may be harder to confirm that this skill comes from a trusted maintainer or to audit future versions.
The package provenance is not established in the supplied metadata. The provided code is readable and has no dependencies, but users lack an external source/homepage to verify updates or ownership.
Source: unknown; Homepage: none
Install only if you trust the registry entry or have independently reviewed the included files.