Why OpenClaw’s AI Agent Went Viral and Triggered Google’s Antigravity Ban

Google Antigravity restriction and OpenClaw impact

On Monday Google announced a temporary restriction on the Antigravity platform (the backend for the Gemini CLI and Cloud Code Private API) because a large number of third‑party agents, including OpenClaw, generated unauthorized Gemini token requests. The overload degraded service quality for regular users, so Google blocked accounts that accessed Gemini tokens in a non‑compliant way. The restriction does not affect other Google services.

OpenClaw architecture and usage pattern

OpenClaw is an open‑source framework that builds autonomous agents on top of Antigravity. Agents can be linked to Gmail, Slack or other services and invoke the Gemini backend to obtain LLM responses. When many agents issue token calls in parallel, the backend can become saturated, triggering the restriction.

Example: voice‑message transcription agent

An agent received an incoming Opus‑encoded voice message without a file extension. Using its granted system permissions it performed the following steps:

Detect the file header and identify the Opus codec.

Invoke ffmpeg to transcode the audio to a supported format (e.g., WAV).

Read the OPENAI_API_KEY environment variable.

Send the transcoded file to the OpenAI Whisper transcription endpoint with curl.

ffmpeg -i input.opus -ar 16000 -ac 1 output.wav
curl https://api.openai.com/v1/audio/transcriptions \
  -H "Authorization: Bearer $OPENAI_API_KEY" \
  -F [email protected] \
  -F model=whisper-1

This workflow shows how granting agents full computer access and toolchains (ffmpeg, curl) enables them to solve tasks that were not explicitly programmed.

Permission model and prompt‑driven development

Steinberger treats pull requests as “prompt requests”. Before merging code, the PR is fed to an LLM to extract the underlying intent and evaluate whether the change is the optimal solution. The focus shifts from syntactic perfection to problem‑solving effectiveness.

Security considerations

OpenClaw includes an optional web service intended only for local debugging. Because the service is configurable, users can expose it publicly via reverse proxies. Security researchers assigned a CVSS 10.0 rating to this exposure. The project’s response is to provide documentation for safe deployment (e.g., bind the service to 127.0.0.1, enable authentication, or disable it entirely) rather than trying to restrict how the open‑source code is used.

Mitigation steps for affected users

Identify agents that invoke Gemini tokens without proper authentication.

Disable or re‑configure the OpenClaw web service to listen only on 127.0.0.1.

Regenerate API keys and rotate them in the Antigravity console.

Follow Google’s recovery process to restore access for legitimate accounts.