Security alert: Why you should ditch Antigravity Cockpit ASAP

hi all. quick story time. i hit my Antigravity quota again (as usual). i wanted a dumb-simple way to track usage. so i installed the most popular “cockpit/quota” extension (1.6M+ downloads), logged in with Google, and moved on. then i got that tiny itch: “ok… what did i just authorize, and where is it storing auth?” so i went digging. what i found is simple and not debatable: this extension persists Google OAuth credentials to disk in plaintext JSON, including a refresh token, and it requests a very broad scope ( https://www.googleapis.com/auth/cloud-platform ). that combo is the whole problem. it’s the entire flow in one glance: login → token grabbed → written to plaintext JSON → anything running as you can read it → attacker can mint new access → “whatever your IAM allows” in GCP (Google Cloud Platform). what’s the actual risk Extensions aren’t evil. Antigravity is a fork of VS Code. extensions run in the Extension Host (Node). they can use IDE APIs and they can touch your filesystem

Security alert: Why you should ditch Antigravity Cockpit ASAP

Related Articles

References: The Alias You Didn’t Know You Needed

Pointers: The Concept Everyone Says Is Hard

Learning a Recurrent Visual Representation for Image Caption Generation

# 5 JSON Mistakes Developers Make (And How to Fix Them Fast)

10 subtle go mistakes that only show up in production

Related Articles

How-To
References: The Alias You Didn’t Know You Needed
Medium Programming • 14h ago

How-To
Pointers: The Concept Everyone Says Is Hard
Medium Programming • 15h ago

How-To
Learning a Recurrent Visual Representation for Image Caption Generation
Dev.to • 16h ago

How-To
# 5 JSON Mistakes Developers Make (And How to Fix Them Fast)
Medium Programming • 18h ago

How-To
10 subtle go mistakes that only show up in production
Medium Programming • 18h ago