Is chocomintx/antigravity-rotator safe?

https://github.com/openclaw/skills/tree/main/skills/chocomintx/antigravity-rotator

69
CAUTION

This skill is a Google Antigravity quota rotation manager with a legitimate operational purpose, but contains serious security implementation flaws that create significant risk. The most critical issues are: (1) a Google OAuth client secret hardcoded in a public GitHub repository, giving the skill author permanent access to the OAuth application; (2) a web dashboard bound to all network interfaces (0.0.0.0) with no authentication, exposing OAuth credential management to the local network; and (3) full read/write access to all Google OAuth tokens combined with a cron-executed persistence mechanism that would automatically execute any future malicious update from the public GitHub source. Canary files were not exfiltrated during the static analysis phase, and the clone behavior was clean.

Category Scores

Prompt Injection 92/100 · 30%
Data Exfiltration 40/100 · 25%
Code Execution 65/100 · 20%
Clone Behavior 80/100 · 10%
Canary Integrity 85/100 · 10%
Behavioral Reasoning 40/100 · 5%

Findings (10)

CRITICAL OAuth Client Secret Hardcoded in Public Repository -30

The Google OAuth client secret is hardcoded directly in both rotator.js and assets/config.example.json and stored in a publicly accessible GitHub repository. This secret is used for all token refresh operations, meaning anyone who reads the source code can use it for OAuth flows. The skill author retains access to this credential and can potentially monitor or intercept authentication traffic associated with this OAuth application.

HIGH Dashboard HTTP Server Exposed on All Network Interfaces -20

The dashboard web server binds to 0.0.0.0 (all network interfaces) rather than 127.0.0.1. This exposes the management interface — including OAuth account enumeration, credential sync, and log access APIs — to every host on the local network. No authentication is implemented on the dashboard or its /api endpoint. An attacker on the same network can enumerate all authenticated Google accounts, trigger credential syncs, and read rotation logs.

HIGH Full Read/Write Access to All Google OAuth Tokens -10

The skill reads, modifies, and overwrites ~/.openclaw/agents/main/agent/auth-profiles.json which contains all Google OAuth access tokens, refresh tokens, and expiry times for every authenticated account. The performRotation function overwrites the VIP rotation slot with any account's credentials. The warmup function temporarily replaces the VIP token to send warmup requests. This gives the skill complete authority over every managed credential.

HIGH Supply Chain Risk via Public GitHub Cron-Executed Code -35

The skill is distributed from a public GitHub repository and instructs users to install a cron job that executes the skill's code every 10 minutes. A malicious update to the GitHub repository would be executed on the next cron tick, with full access to all OAuth credentials. There is no version pinning, integrity verification, or signature checking on the installed code.

MEDIUM Shell Command Injection Risk via execSync String Interpolation -20

rotator.js constructs shell commands using string interpolation and executes them via execSync. The fetchAccountQuota function interpolates access tokens and header values directly into curl command strings. If an access token or header value contains shell metacharacters (e.g., $(), backticks, quotes), command injection is possible. While tokens are typically base64url-encoded, compromised or malformed auth data could exploit this.

MEDIUM Unauthenticated API Endpoint Triggers Arbitrary Command Execution -15

The dashboard /api endpoint handles a 'triggerRotate' action that calls exec() to spawn the rotate script. This endpoint is accessible to anyone on the local network (given the 0.0.0.0 binding) without authentication. Combined with the network exposure finding, a local network attacker can trigger credential access and OAuth token operations on demand.

MEDIUM Shared Third-Party OAuth Application Credentials Create Trust Dependency -10

The skill defaults to using OAuth credentials (CLIENT_ID, CLIENT_SECRET, DEFAULT_PROJECT_ID) that are controlled by the skill author and hardcoded in a public repository. All users of this skill who do not configure their own OAuth application will have their token refresh requests associated with the skill author's OAuth app. This gives the skill author visibility into which accounts are refreshing tokens and the ability to revoke access by canceling the OAuth app.

LOW SKILL.md Instructs Persistent Crontab Installation -8

The SKILL.md documentation explicitly instructs users to install a system crontab entry that executes the skill's rotate action every 10 minutes indefinitely. This establishes machine-level persistence for code that accesses OAuth credentials, independent of whether the user is actively using the skill.

INFO Clean Installation — No Unexpected Network Activity During Clone 0

The skill installation performed only a standard sparse git clone from github.com with no additional downloads, no package installation, and no unexpected outbound connections. No filesystem changes were observed outside the skill directory during installation.

INFO No npm Lifecycle Scripts Present 0

The package.json contains no preinstall, postinstall, prepare, or other lifecycle scripts that would execute code automatically upon npm install.