hi all. quick story time.
i hit my Antigravity quota again (as usual). i wanted a dumb-simple way to track usage. so i installed the most popular “cockpit/quota” extension (1.6M+ downloads), logged in with Google, and moved on.
then i got that tiny itch: “ok… what did i just authorize, and where is it storing auth?” so i went digging.
what i found is simple and not debatable: this extension persists Google OAuth credentials to disk in plaintext JSON, including a refresh token, and it requests a very broad scope (https://www.googleapis.com/auth/cloud-platform). that combo is the whole problem.
it’s the entire flow in one glance: login → token grabbed → written to plaintext JSON → anything running as you can read it → attacker can mint new access → “whatever your IAM allows” in GCP (Google Cloud Platform).
what’s the actual risk
Extensions aren’t evil. Antigravity is a fork of VS Code. extensions run in the Extension Host (Node). they can use IDE APIs and they can touch your filesystem. that’s normal.
the issue is the storage choice. an access token expiring isn’t the end of the world. a refresh token is different. it’s the “keep access alive” lever. if someone gets it once, they can keep generating new access tokens again and again, until you revoke it server-side.
so when a refresh token lives in a plaintext file under your home directory, you’ve created a durable credential that’s easy to steal. not “impossible to protect,” just “too easy to leak for what this tool is.”
why “hidden folder” / “permissions” don’t really save you
you’ll hear “but it’s a hidden folder” or “but the file is 600.” fair points. that’s better than world-readable.
but the threat model isn’t “a stranger browsing your home folder.” it’s “anything running under your user account.” that includes malware, sure. but it also includes compromised extensions, random helper tooling, and backup/sync agents that copy dotfolders.
and the most common leaks are boring mistakes. support bundles. debug zips. screenshots. accidental repo pushes. once the refresh token escapes, the attacker doesn’t need your machine anymore. they just need time, because they can keep refreshing.
why the scope makes this worse
cloud-platform doesn’t magically make someone an admin. it’s still bounded by IAM.
but it does mean the token is valid across a wide range of Google Cloud APIs. and in the real world, a lot of dev accounts have broader permissions than they think. especially in small teams or personal projects.
so the practical blast radius becomes: anything your IAM already allows, which is a lot for a tool that’s basically “show me usage.”
alright, i know this sounds like “security guy overreacting.” so let’s kill the debate the fun way: i’ll show you exactly how to verify it yourself. i ran these checks locally, you can do the same,just don’t post your tokens.
proof 1 : credentials persistence
go to your extensions folder:
cd ~/.antigravity/extensions/ # or the equivalent vscode path depending on your setup
ls
find the folder:
cd jlcodes.antigravity-cockpit-1.x.x
then look for the write call:
grep -i "fs.writeFileSync" extension.js
when you inspect the minified code, you’ll see the exact “smoking gun” pattern.
first: the path is built under your home dir. it defines something like:
join(homedir(), ".antigravity_cockpit") and a filename like "server.json".
then: it writes the creds straight to disk:
writeFileSync(path, JSON.stringify({ accounts: ... }, null, 2))
no encryption. no OS keychain. no SecretStorage. it just dumps the accounts object.
you’ll also notice a hardcoded OAuth client id in the code (1071006060591-...). i’ll keep the wording clean: it looks like the extension uses a baked-in client id to perform the OAuth flow. the key point isn’t semantics, it’s this: privileged OAuth + plaintext refresh token storage is a bad combo.
and yes, you can spot the scope list too. you’ll see cloud-platform in there.
proof 2 : the “bomb” sitting on your disk
after login, a hidden folder appears under your home directory. inside is a JSON file with your account and tokens.
do not share screenshots of it. those tokens are live. redact everything if you ever show a snippet.
it looks like this:
{
"accounts": {
"your.email@gmail.com": {
"email": "your.email@gmail.com",
"accessToken": "ya29.a0AfB_byC...",
"refreshToken": "1//0eXYZabcdef...",
"expiresAt": "2026-02-22T18:30:00.000Z",
"projectId": "cloudaicompanion-xxx"
}
}
}
the access token expires, fine. the refresh token is the durable key. if anything reads that file once, it can keep generating new access tokens until you revoke access on Google’s side.
that’s why “just delete the folder” is not enough.
proof 3 : what Google says
you can check what scope your token carries with Google’s tokeninfo endpoint.
again: don’t paste your token anywhere public. run it locally:
HISTFILE=/dev/null curl "https://oauth2.googleapis.com/tokeninfo?access_token=YOUR_TOKEN_HERE"
(tiny safety note: this avoids dropping your ya29... token into zsh history. still: don’t post it anywhere.)
look at the scope field. if it includes:
https://www.googleapis.com/auth/cloud-platform
then that’s your confirmation. broad GCP API scope, bounded by IAM, but still huge.
what to do if you installed it
Revoke on Google
go to your Google Account → Security → Third-party access / Your connections.
find the app linked to Antigravity / the cockpit / Cloud Code, and remove access.
(deleting local files first doesn’t help if the refresh token is still valid server-side.)
Uninstall + fully quit the IDE
uninstall the extension. then fully quit Antigravity (don’t just close the window).
you want the Extension Host dead before you wipe files.
Local purge
rm -rf ~/.antigravity_cockpit
optional sanity check
open GCP Cloud Audit Logs and scan for anything you didn’t do:
IAM policy changes, new service accounts/keys, new API keys, unusual resource creation.
that’s it. no “vibe coding is evil” rant. just: plaintext refresh token + cloud-platform scope is a huge blast radius for a quota checker.
i’m not a security expert, just a guy who likes tinkering and i really wanted to share what i found. if this helps even a few people avoid a nasty surprise, i’m happy. and if anything here looks wrong or misleading, tell me ! i’d genuinely rather fix it than “win” the thread.
Top comments (0)