Remix.run Logo
tabs_or_spaces 2 hours ago

So the timeline is basically

* User uses Google oauth to integrate their open claw

* user gets banned from using Google AI services with no warning

* user still gets charged

If you go backwards, getting charged for services you can't access is rough. I feel sorry for those who are deeply integrated into Google services or getting banned on their main accounts. It's not a great situation.

Also, getting banned without warning is rough as well. I wonder if the situation will be different for business accounts as opposed what seems like personal accounts?

The ban itself seems fair though, google is allowed to restrict usage of their services. Even though it's probably not developer friendly, it's within their rights to do so.

I guess there's some level of post mortem to do on the openclaw side too.

* Why did openclaw allow Google anti gravity logins?

* The plugin is literally called "google-antigravity-auth", why didn't that give the signal to the maintainers?

* Why don't the maintainers, for an integration project, do due diligence checks on the terms of service of everything you're integrating with?

axus 2 hours ago | parent | next [-]

It doesn't seem fair at all; though I'm glad to see it's not as bad as I feared (yet?).

> Hoping for some transparency, I left a single, polite comment asking for clarification on why the update was removed. Surprisingly, my forum account was banned shortly after posting that question.

Aurornis 31 minutes ago | parent | prev | next [-]

> * Why did openclaw allow Google anti gravity logins?

OpenClaw went from virtually unheard of to a sensation in a couple weeks. There was intense commit activity and the main author bragged about not even reading the code himself. It was all heavily AI driven and moving at an extreme rate. Everyone was competing to get their commits in because they wanted to be a part of it.

The entire project was a fast and furious experiment. Nobody was stopping to think if something was a good idea or not when someone published a plugin for using this endpoint. People just thought “cool!” and installed it.

anon84873628 2 hours ago | parent | prev [-]

I don't understand step 1. OAuth client applications have to be registered in GCP, right? They have to request specific scopes for specific APIs, and there is a review process before they can be used by the public. Did none of that happen for the Open Claw client? How is it the users' fault for clicking a "Sign in with Google" button? And if there was a mistake, why not ban the whole client?

I could see a problem with logging into Antigravity then exfiltrating the tokens to use somewhere else... But that doesn't sound like what happened. (And then how would they know?)

I haven't used Open Claw, so what else am missing to make this make sense?

integralpilot 2 hours ago | parent [-]

To my understanding, OpenClaw pretends to be Antigravity by using the Antigravity OAuth client ID (and doesn't have its own), and then the takes the token Google returns to instead use with OpenClaw.

When I first tried OpenClaw and chose Google Sign-In, I noticed the window appeared saying "Sign into Google Antigravity" with a Google official mark, and a warning it shouldn't be used to sign into anything besides official Google apps. I closed it immediately and uninstalled OpenClaw as this was suspicious to me, and it was a relatively new project then.

It amazes me that the maintainer(s) allowed something like this...

coffe2mug 6 minutes ago | parent | next [-]

> OAuth client ID (and doesn't have its own), and then the takes the token Google returns to instead use with OpenClaw.

Still surprised.

Client ID ok.

But openclaw needs the secret also?

Does it also mean Antigravity did not restrict to specific applications?

anon84873628 an hour ago | parent | prev [-]

Ah, ok. I guess there is no way for Google to prevent this since desktop apps are public clients that use PKCE.

I imagine Open Claw must also have registered the Antigravity custom URL scheme in order to receive the redirect.

Remaining question is how Google determines that traffic is not actually coming from Antigravity.

overfeed an hour ago | parent [-]

> Remaining question is how Google determines that traffic is not actually coming from Antigravity.

Spiralling here: high volumes, and tool calls that are not typical for an agentic IDE.