Antigravity Image Gen
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill appears to generate images as described, but it uses local Google OAuth credentials with an internal API, a hardcoded fallback project, and provider-check bypass behavior that users should review carefully.
Before installing, confirm you trust the publisher and are comfortable with the skill reading your local Google Antigravity OAuth profile. Verify which project ID will be used, expect prompts to be sent to Google’s internal endpoint, and use safe output file paths.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The skill can act using your Google Antigravity OAuth session, and requests may be associated with a fallback project you did not choose.
The script directly reads a local auth profile, extracts an OAuth access token, and sends it as a bearer token. If the profile lacks a projectId, it falls back to a hardcoded project ID that is not explained in the user-facing instructions.
const PROFILE_PATH = process.env.OPENCLAW_AUTH_PATH || path.join(..., '.openclaw/agents/main/agent/auth-profiles.json'); ... const FALLBACK_PROJECT_ID = "junoai-465910"; ... token = auth.access; ... 'Authorization': `Bearer ${token}`Use only if you trust the publisher and understand the Google profile/project being used. Prefer removing the hardcoded fallback or requiring an explicit user-selected project ID.
The skill may rely on unsupported or restricted provider behavior, which could break unexpectedly or violate expectations around normal API use.
The script calls a v1internal sandbox endpoint and sets client headers with an explicit comment that the version bump is intended to bypass deprecation checks.
const ENDPOINT = "https://daily-cloudcode-pa.sandbox.googleapis.com/v1internal:streamGenerateContent?alt=sse"; ... // IMPORTANT: Version bump to bypass deprecation checks ... 'User-Agent': 'antigravity/2.0.0 darwin/arm64'
Review whether this internal endpoint and client-header behavior are acceptable before use; prefer an officially documented API path when available.
It is harder to confirm that the reviewed files correspond exactly to the registry package you intended to install.
The bundled metadata does not match the supplied registry metadata, which lists a different owner ID, slug, and version for the skill under evaluation.
"ownerId": "kn79jhh393p6ryrcqfgx3rvw5n802qpe", "slug": "antigravity-image-gen", "version": "2.0.0"
Resolve the registry/package metadata mismatch before trusting the skill, especially because it reads local OAuth credentials.