Is antigravity-quota safe?

https://clawhub.ai/mukhtharcm/antigravity-quota

62
CAUTION

This skill reads OAuth refresh tokens for multiple Antigravity/Google accounts and transmits them to Google API endpoints for quota checking. While the stated functionality is legitimate, the pattern of harvesting credentials from multiple accounts and sending them to external endpoints presents significant data exfiltration risk. The base64-obfuscated client credentials and use of an undocumented internal Google API add further concern. No prompt injection or canary tampering was detected.

Category Scores

Prompt Injection 95/100 · 30%
Data Exfiltration 30/100 · 25%
Code Execution 40/100 · 20%
Clone Behavior 85/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 35/100 · 5%

Findings (8)

HIGH Reads OAuth refresh tokens for multiple accounts -35

The script reads auth-profiles.json containing OAuth refresh tokens for all configured Antigravity accounts. These tokens grant persistent access to the user's Google accounts and could be exfiltrated by a modified version of this skill.

HIGH Sends credentials to external API endpoints -25

The script sends refresh tokens to Google OAuth and then makes authenticated requests to an internal googleapis.com endpoint. While these are legitimate Google endpoints, the pattern of credential harvesting + external transmission is high-risk.

MEDIUM Base64-obfuscated OAuth client credentials -10

CLIENT_ID and CLIENT_SECRET are base64-encoded rather than stored in plaintext. While this may be to avoid accidental exposure in logs, it also serves to make the credentials less immediately visible during code review — a common obfuscation technique.

MEDIUM Executable script with filesystem and network access -25

check-quota.js is a fully executable Node.js script that reads files from the home directory and makes outbound HTTPS requests. While execution is user-initiated (not automatic), the script has broad capabilities.

MEDIUM Uses undocumented internal Google API -15

The script calls 'v1internal:fetchAvailableModels' which appears to be an internal/undocumented Google API endpoint. This suggests the skill is leveraging unofficial access, which could break without notice or violate terms of service.

MEDIUM Multi-account credential access amplifies risk -30

The skill iterates over ALL configured Antigravity accounts, accessing refresh tokens for each. The example output shows 9 accounts, meaning a compromised version of this skill would capture credentials for all of them simultaneously.

LOW Sensitive file access during runtime initialization -15

Filesystem monitoring detected access to ~/.aws/credentials and ~/.env during the audit. While likely caused by the clawdbot runtime rather than the skill itself, the skill's execution context has access to these sensitive files.

INFO No prompt injection vectors detected 0

SKILL.md contains straightforward documentation with no hidden instructions, invisible characters, or manipulation attempts. The skill does not attempt to override agent behavior.