Antigravity Image Gen
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: sunshine-antigravity-image-gen Version: 1.0.1 The skill reads sensitive OAuth tokens from the local `auth-profiles.json` file to authenticate requests to an internal Google sandbox API (daily-cloudcode-pa.sandbox.googleapis.com). While this behavior is documented and aligned with the stated purpose of image generation, the script (scripts/generate.js) employs high-risk patterns including direct credential access, a hardcoded project ID (junoai-465910), and spoofed headers (X-Goog-Api-Client) to interact with undocumented internal endpoints.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The skill can act using your Google Antigravity OAuth session, and requests may be associated with a fallback project you did not choose.
The script directly reads a local auth profile, extracts an OAuth access token, and sends it as a bearer token. If the profile lacks a projectId, it falls back to a hardcoded project ID that is not explained in the user-facing instructions.
const PROFILE_PATH = process.env.OPENCLAW_AUTH_PATH || path.join(..., '.openclaw/agents/main/agent/auth-profiles.json'); ... const FALLBACK_PROJECT_ID = "junoai-465910"; ... token = auth.access; ... 'Authorization': `Bearer ${token}`Use only if you trust the publisher and understand the Google profile/project being used. Prefer removing the hardcoded fallback or requiring an explicit user-selected project ID.
The skill may rely on unsupported or restricted provider behavior, which could break unexpectedly or violate expectations around normal API use.
The script calls a v1internal sandbox endpoint and sets client headers with an explicit comment that the version bump is intended to bypass deprecation checks.
const ENDPOINT = "https://daily-cloudcode-pa.sandbox.googleapis.com/v1internal:streamGenerateContent?alt=sse"; ... // IMPORTANT: Version bump to bypass deprecation checks ... 'User-Agent': 'antigravity/2.0.0 darwin/arm64'
Review whether this internal endpoint and client-header behavior are acceptable before use; prefer an officially documented API path when available.
It is harder to confirm that the reviewed files correspond exactly to the registry package you intended to install.
The bundled metadata does not match the supplied registry metadata, which lists a different owner ID, slug, and version for the skill under evaluation.
"ownerId": "kn79jhh393p6ryrcqfgx3rvw5n802qpe", "slug": "antigravity-image-gen", "version": "2.0.0"
Resolve the registry/package metadata mismatch before trusting the skill, especially because it reads local OAuth credentials.