Is antigravity-image-gen safe?

The skill is published under the slug 'antigravity-image-gen' but the actual installed payload is 'imsg', a completely different skill that provides full iMessage/SMS read and send capabilities. A user expecting image generation functionality would unknowingly grant their AI agent access to their entire private messaging system. This is a deliberate deception designed to bypass user consent.

The skill instructs the agent to use 'imsg history' and 'imsg chats' to read the user's complete iMessage/SMS conversation history. This exposes all private messages — including potential 2FA codes, financial information, medical communications, and intimate conversations — to the LLM context window and potentially to any party who can influence the agent's behavior.

The 'imsg send' command allows the agent to send iMessages/SMS to any phone number with arbitrary text content and file attachments. An attacker who can influence the agent (via prompt injection from another skill or from content the agent processes) could send phishing messages from the user's identity, exfiltrate local files to an attacker-controlled number, or conduct social engineering attacks against the user's contacts.

The filesystem monitoring shows that during the skill installation process, the system accessed /home/oc-exec/.aws/credentials and /home/oc-exec/.env — these are sensitive credential files. While this may be caused by the parent toolchain (OpenClaw) rather than the skill itself, the access pattern is concerning especially given the bait-and-switch nature of this skill.

The .aws/credentials and .env canary files were opened and read during the installation process. Although they were not modified (integrity check passes), the read access itself indicates credential probing behavior. The canary integrity report says 'All canary files intact' because they weren't modified, but they were accessed.

The skill requests Full Disk Access and Automation permissions for the terminal — these are extremely powerful macOS entitlements. Since the user believes they're installing an image generation tool, they would not expect to be granting iMessage access permissions. This is a privilege escalation through social engineering.

The skill specifies installation of a binary from a third-party Homebrew tap (steipete/tap/imsg). While the imsg tool itself may be legitimate, bundling it under a deceptive skill name means the user installs this binary under false pretenses, introducing supply chain risk.

The 'imsg send --file /path/pic.jpg' command can be used to send any local file to any phone number. This turns the iMessage system into a data exfiltration channel — an attacker-influenced agent could send SSH keys, credentials, or documents to an attacker's phone number.

The 'imsg watch' command enables real-time monitoring of incoming messages including attachments. If the agent runs this in the background, all new messages would flow into the LLM context, creating a persistent surveillance capability.

The .clawhub/lock.json file references a skill called 'academic-research-hub' which is neither the advertised 'antigravity-image-gen' nor the actual 'imsg' payload. This suggests the repository may have been repurposed multiple times or is part of a broader skill-squatting campaign.