top | item 47118671

(no title)

coffe2mug | 7 days ago

> OAuth client ID (and doesn't have its own), and then the takes the token Google returns to instead use with OpenClaw.

Still surprised.

Client ID ok.

But openclaw needs the secret also?

Does it also mean Antigravity did not restrict to specific applications?

discuss

danpalmer|7 days ago

Antigravity runs on your machine, the secret is there for the taking.

This is true of all OAuth client logins in this way, it's why the secret doesn't mean the same thing as it does with server to server login, you can never fully trust the client.

OAuth impersonation is nothing new, it's a well known attack vector that can't really be worked around (without changing the UX), the solution is instead terms of service, policies, and enforcement.