Antigravity Quota 1.1.0
WarnAudited by ClawScan on May 10, 2026.
Overview
The skill appears to check quotas as described, but it should be reviewed because it reads stored Antigravity OAuth refresh tokens for all configured accounts while the metadata declares no credential or config-path requirement.
This skill is coherent with quota checking and does not show unrelated exfiltration or destructive behavior. The main thing to consider is trust: running it gives the script access to stored Antigravity refresh tokens and account identifiers from Clawdbot profiles. Review the code first, run it only in a trusted environment, and avoid the optional tablesnap install unless you trust that separate tool.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Running the skill lets it use locally stored Antigravity account credentials for every configured account. The code does not show exfiltration to an unrelated endpoint, but these tokens are sensitive.
The script locates local Clawdbot auth-profile files, selects all google-antigravity profiles, extracts each stored refresh token, and uses it to mint access tokens. That is high-impact credential/account access, and the registry metadata declares no credential or config-path requirement.
path.join(process.env.HOME, '.clawdbot/agents/main/agent/auth-profiles.json') ... .filter(([key]) => key.startsWith('google-antigravity:')) ... refresh: value.refresh ... const accessToken = await refreshToken(account.refresh);Install and run only if you trust this publisher and have reviewed the script. The skill metadata should explicitly declare the local auth-profile paths and credential use.
Quota checks will contact Google/Cloudcode services using your Antigravity account authorization.
The skill directly calls Google OAuth and a Cloudcode internal quota endpoint. This is purpose-aligned for quota checking, but users should know where account tokens and project IDs are being used.
const TOKEN_URL = "https://oauth2.googleapis.com/token"; const ENDPOINT = "https://cloudcode-pa.googleapis.com/v1internal:fetchAvailableModels";
Confirm you are comfortable with these provider API calls before running the script, especially on accounts with sensitive projects.
If you follow the optional tablesnap installation step, you will fetch and install code outside this skill that may change over time.
The optional screenshot workflow recommends installing the latest version of a third-party Go tool. It is user-directed and optional, but it is not pinned to a reviewed version.
go install github.com/joargp/tablesnap/cmd/tablesnap@latest
Skip the optional tablesnap step unless needed, or pin and review the third-party tool version before installing.