Is finderstrategy-cyber/antigravity-balance safe?

https://github.com/openclaw/skills/tree/main/skills/finderstrategy-cyber/antigravity-balance

89
SAFE

The antigravity-balance skill is a legitimate, well-scoped utility for checking Windsurf/Antigravity IDE quota by discovering and querying the local language server process over localhost HTTPS. All network activity is confined to loopback; no external endpoints are contacted by the skill script; and all honeypot canary files remained unmodified throughout the audit. The primary considerations are minor: user account PII (name, email, tier) enters LLM context by design when the skill is invoked, the script uses shell exec with a fixed non-injectable processName, and localhost port scanning occurs during API discovery.

Category Scores

Prompt Injection 95/100 · 30%
Data Exfiltration 85/100 · 25%
Code Execution 85/100 · 20%
Clone Behavior 92/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 82/100 · 5%

Findings (7)

LOW User PII surfaced to LLM context by design -10

When invoked, the skill outputs the user's full name, email address, subscription tier, per-model quota percentages, and reset times from the Antigravity language server API. This information enters the agent's context window and may persist in conversation logs or be referenced in subsequent model responses without the user's awareness.

LOW CSRF token partially disclosed in verbose mode -5

When the script is invoked with -v or --verbose flags, it logs the first 8 characters of the extracted CSRF token to stderr alongside the extension port. While truncated, this is a partial credential disclosure that could appear in agent debug output or logs.

LOW Shell execution via execAsync with ps pipeline -10

The script uses Node.js child_process.exec() to run a shell pipeline (ps | grep | grep -v). While the processName argument is safely derived from Node.js runtime constants and is not injectable, the pattern of shell execution warrants documentation. The exec() call is not sandboxed and runs with the agent's full OS permissions.

LOW Localhost port range scanning during API discovery -5

findApiPort() first probes four specific ports, then falls back to scanning extensionPort-10 through extensionPort+10 on localhost. While confined to loopback, this constitutes automated port probing that could touch unrelated local services.

LOW TLS certificate verification disabled for localhost requests -5

All HTTPS requests to the local language server use rejectUnauthorized: false, bypassing TLS certificate validation. On loopback this is generally acceptable, but it means a local MITM on the loopback interface would not be detected.

INFO Standard sparse checkout installation — no anomalies 0

The skill was installed via a standard depth-1 sparse git clone from the expected repository (openclaw/skills.git on GitHub). The installation copied only the skill subdirectory and cleaned up the temporary clone. No unexpected filesystem writes, process spawning, or network connections were observed from the skill itself.

INFO All canary files intact 0

Honeypot files (.env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, gcloud credentials) were not modified or exfiltrated through monitored channels. File access events for these paths at timestamps 1771919177 and 1771919199 are attributable to the oathe monitoring framework's baseline collection and SSH session initialization, consistent with normal audit infrastructure activity.