| ▲ | integralpilot 2 hours ago | |||||||
To my understanding, OpenClaw pretends to be Antigravity by using the Antigravity OAuth client ID (and doesn't have its own), and then the takes the token Google returns to instead use with OpenClaw. When I first tried OpenClaw and chose Google Sign-In, I noticed the window appeared saying "Sign into Google Antigravity" with a Google official mark, and a warning it shouldn't be used to sign into anything besides official Google apps. I closed it immediately and uninstalled OpenClaw as this was suspicious to me, and it was a relatively new project then. It amazes me that the maintainer(s) allowed something like this... | ||||||||
| ▲ | coffe2mug 4 minutes ago | parent | next [-] | |||||||
> OAuth client ID (and doesn't have its own), and then the takes the token Google returns to instead use with OpenClaw. Still surprised. Client ID ok. But openclaw needs the secret also? Does it also mean Antigravity did not restrict to specific applications? | ||||||||
| ▲ | anon84873628 an hour ago | parent | prev [-] | |||||||
Ah, ok. I guess there is no way for Google to prevent this since desktop apps are public clients that use PKCE. I imagine Open Claw must also have registered the Antigravity custom URL scheme in order to receive the redirect. Remaining question is how Google determines that traffic is not actually coming from Antigravity. | ||||||||
| ||||||||