Security Audit

sundial-org/awesome-openclaw-skills:skills/antigravity-quota

github.com/sundial-org/awesome-openclaw-skills

AI SkillCommit 6d998e005da6

CRITICAL

Scanned 27 days ago

Critical

Immediate action required

High

Priority fixes suggested

Medium

Best practices review

Low

Acknowledged / Tracked

Trust Assessment

sundial-org/awesome-openclaw-skills:skills/antigravity-quota received a trust score of 40/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.

SkillShield's automated analysis identified 3 findings: 0 critical, 2 high, 0 medium, and 0 low severity. Key findings include Unsafe deserialization / dynamic eval, Base64 encoded credentials.

The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.

Last analyzed on March 3, 2026 (commit 6d998e00). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.

Layer Breakdown

Manifest Analysis

70%

Static Code Analysis

100%

Dependency Graph

100%

LLM Behavioral Safety

100%

Behavioral Risk Signals

Filesystem Write

1 finding

Dynamic Code

2 findings

Security Findings3

Severity	Finding	Layer	Location
HIGH	Unsafe deserialization / dynamic eval Base64 decode of large encoded payload (Node.js) Remove obfuscated code execution patterns. Legitimate code does not need base64-encoded payloads executed via eval, encrypted-then-executed blobs, or dynamic attribute resolution to call system functions.	Manifest	skills/antigravity-quota/check-quota.js:35
HIGH	Unsafe deserialization / dynamic eval Base64 decode of large encoded payload (Node.js) Remove obfuscated code execution patterns. Legitimate code does not need base64-encoded payloads executed via eval, encrypted-then-executed blobs, or dynamic attribute resolution to call system functions.	Manifest	skills/antigravity-quota/check-quota.js:36
INFO	Base64 encoded credentials The skill uses base64 encoding to store `CLIENT_ID` and `CLIENT_SECRET` directly within the `check-quota.js` file. While the comments suggest these are public client credentials for Google OAuth, and thus not truly secret, base64 encoding is a form of weak obfuscation. For genuinely sensitive credentials, this would be a critical vulnerability as it offers no real protection. For public credentials, it primarily impacts code readability and could be misleading, implying a level of security that isn't present. For public client IDs and secrets, consider storing them directly as plain strings for clarity, as base64 encoding does not provide security. If these credentials were intended to be confidential, they should be protected by a robust secrets management system (e.g., environment variables, a dedicated secrets store), not merely base64 encoded within the code.	LLM	check-quota.js:26

Scan History

Embed Code

[![SkillShield](https://skillshield.io/api/v1/badge/7714cc90291b0236.svg)](https://skillshield.io/report/7714cc90291b0236)