Posted in AI

Google Pulled the Plug on OpenClaw + Antigravity OAuth: “Malicious Usage” or Predictable Abuse?

   24 February 2026

So this week we got a classic modern SaaS moment:

  • An open source project finds a convenient integration path
  • Users do what users do (scale it)
  • The platform owner watches the graphs go vertical
  • Then someone in Product says the magic words: “malicious usage”

And suddenly a pile of legit people are locked out, the open source community is on fire, and everyone is asking the same question:

If nobody hacked anything, why does it feel like a breach response?

🚀 Follow Me on X – New Account

My previous X account @AngrySysOps was suspended.
I am continuing the same tech, cybersecurity, and engineering discussions under a new handle.

Follow @TheTechWorldPod on X for daily insights, threads, and podcast updates.


👉 Follow @TheTechWorldPod on X 👈

What happened (the non-hysterical version)

OpenClaw (open source, roughly 225k GitHub stars) is a local-first agent framework that can run assistants for things like browsing and email workflows.

OpenClaw’s ecosystem includes provider auth plugins, including a Google Antigravity OAuth option (disabled by default).

According to reporting:

  • Some users connected OpenClaw workflows to Google’s Antigravity backend via OAuth
  • Usage spiked hard
  • Google said service quality degraded for “real” / intended users
  • Their response was suspension/termination tied to using Antigravity through third-party tooling, described as “malicious usage”

OpenClaw’s creator, Peter Steinberger, publicly called the response “pretty draconian” and indicated he’d remove support to protect users from getting nuked.

Why Google did it (and why you shouldn’t be surprised)

From an ops perspective, this is textbook.

OAuth tokens plus third-party automation can create non-human usage patterns. Combine that with frictionless scaling and suddenly every assumption baked into “free / bundled / subsidized” capacity gets crushed.

Multi-tenant backends hate unbounded automation that looks like:

  • high request rates
  • repetitive agent loops
  • bursty traffic
  • shared token funnels

Even if nobody exploited a vulnerability, platforms still treat “abuse of intended economics” as abuse.

Translation: you can be “authorized” and still get banned.

Why the open source community is also right to be mad

Because the blast radius sucks.

If the enforcement path is “suspend first, explain later,” you create:

  • collateral damage (people who didn’t realize the integration crossed a line)
  • broken workflows overnight
  • reputational fallout for the OSS project
  • fear of experimenting with integrations at all

And when the communication is vague (“malicious usage”) it reads like:
“we’re calling you attackers”
not
“your usage pattern broke our service model.”

🚀 Follow Me on X – New Account

My previous X account @AngrySysOps was suspended.
I am continuing the same tech, cybersecurity, and engineering discussions under a new handle.

Follow @TheTechWorldPod on X for daily insights, threads, and podcast updates.


👉 Follow @TheTechWorldPod on X 👈

The real lesson for sysadmins and builders

This isn’t about morality. It’s about control planes and cost models.

If you’re running agent tooling in a company, treat it like any other integration that can blow up.

1) Prefer explicit API keys and billing over clever OAuth routing

OAuth is identity and access. It is not a blank check for compute.

2) Put guardrails on agent loops

At minimum:

  • rate limits
  • concurrency caps
  • max tool calls per run
  • spend limits (hard stop, not “notify”)

3) Separate identities

Don’t run experimental agents on accounts tied to:

  • production email
  • admin access
  • anything you can’t afford to lose to “policy enforcement”

4) Assume providers will enforce terms at the account level

Not at the app level. Not at the token level. At the account level.

That means your “lab” can become your “incident.”

So… is it malicious?

Here’s the clean framing:

  • Not a hack
  • No vuln required
  • No break-in

But also:

  • Still abuse from the platform’s POV if it bypasses intended product boundaries or economics
  • Still a bad enforcement UX if the response is mass suspension with weak comms

Both sides can be right, and everyone still loses.

What I’d do if I was using this stack

If you’re an OpenClaw user (or you run anything similar internally):

  • Disable Antigravity OAuth integrations until there’s a clearly sanctioned method
  • Switch to official API key flows where usage and billing are explicit (even if it costs money)
  • Audit automation for “agent runaway” patterns:
    • scheduled loops
    • retry storms
    • multi-agent fanout
  • Document the risk plainly: “provider can suspend accounts without appeal.”

Because that’s the real enterprise takeaway:

Your workflow is only as stable as the provider’s interpretation of “intended use.”

🚀 Follow Me on X – New Account

My previous X account @AngrySysOps was suspended.
I am continuing the same tech, cybersecurity, and engineering discussions under a new handle.

Follow @TheTechWorldPod on X for daily insights, threads, and podcast updates.


👉 Follow @TheTechWorldPod on X 👈

@angrysysops.com

I am working on GTA 7 #gta #vibecoding #gta6

♬ Original Sound – Unknown
Please leave the comment