[tabs_or_spaces]

So the timeline is basically

* User uses Google oauth to integrate their open claw

* user gets banned from using Google AI services with no warning

* user still gets charged

If you go backwards, getting charged for services you can't access is rough. I feel sorry for those who are deeply integrated into Google services or getting banned on their main accounts. It's not a great situation.

Also, getting banned without warning is rough as well. I wonder if the situation will be different for business accounts as opposed what seems like personal accounts?

The ban itself seems fair though, google is allowed to restrict usage of their services. Even though it's probably not developer friendly, it's within their rights to do so.

I guess there's some level of post mortem to do on the openclaw side too.

* Why did openclaw allow Google anti gravity logins?

* The plugin is literally called "google-antigravity-auth", why didn't that give the signal to the maintainers?

* Why don't the maintainers, for an integration project, do due diligence checks on the terms of service of everything you're integrating with?

[Aurornis]

> * Why did openclaw allow Google anti gravity logins?

OpenClaw went from virtually unheard of to a sensation in a couple weeks. There was intense commit activity and the main author bragged about not even reading the code himself. It was all heavily AI driven and moving at an extreme rate. Everyone was competing to get their commits in because they wanted to be a part of it.

The entire project was a fast and furious experiment. Nobody was stopping to think if something was a good idea or not when someone published a plugin for using this endpoint. People just thought “cool!” and installed it.

[lucianbr]

That's how AI is supposed to be used, no? That's what the providers advertise - it increases development speed, a lot, it replaces devs and so on.

But I guess it's only ok when you work on regular joe facing projects, where the consequences of bugs are on powerless users. If the consequences are on Google, well, that's not acceptable now is it?

[ddalex]

The consequences for Google are that the people are misusing the keys and the Google is fixing that. They're not banning anybody using proper API keys

[otabdeveloper4]

> using AI for vibes is a fast track to bugs and security incidents

Yes, that's what he said.

[Aurornis]

> That's how AI is supposed to be used, no? That's what the providers advertise - it increases development speed, a lot, it replaces devs and so on.

Not really. There’s a difference between accelerating development in the hands of an experienced developer versus having somebody just slop code by hoping for the best.

Adopting AI doesn’t equal removing code review. These were two separate choices combined.

[lucianbr]

> https://blog.samaltman.com/the-gentle-singularity

Search for "review": 0 matches.

Of course the fine print says to review, just like the ultimate control of the "full self driving" rests with the human driver. But why is the fine print fine, and not large as the large print? Maybe because you're not supposed to pay attention to it? Could this be?

[shevy-java]

> Also, getting banned without warning is rough as well.

Agreed. The lesson is: do not become dependent on Google. Ever.

(Unfortunately I still use youtube and a chromium-based browser. Long-term I hope to find alternatives to both problems. Google search I no longer need because Google already ruined it a few years ago; the quality now is just horrible. I can not find anything useful with it anymore.)

[Chaosvex]

Literally just use Firefox.

[rvnx]

Firefox is financed by Google and makes them survive (but yes, clearly the only realistic alternative that is not Chromium-based)

[inigyou]

Use Librewolf.

Firefox would be able to survive without Google, even though it currently chooses not to. Mozilla is not Firefox any more than Linux Foundation is Linux.

[Chaosvex]

They pay to be made the default search engine, true. I'm not aware of there being anything beyond that

[sillyfluke]

The claim that is often repeated in discussions is that Firefox is completely dependent on that money and can't survive without it.

[twohaibei]

Zen browser. Or floorp.

[vincston]

What google search alternative have you found? Im trying out ecosia, duckduckgo and brave search, but i find their search results even worse, so in the second query i tend to bang to google..

[bobmcnamara]

Google Search is over. There may not be a free alternative, it they've lost the arms war between phone number incrementing ad pages, AI spew, and rank hackers.

[distances]

Have you tried Kagi yet? It's pretty popular among HN folks, and I find it easily worth the price.

[bilekas]

Kagi indirectly funds the Kremlin's regime, just to know where your money goes if we're talking about not supporting google.

[BlobberSnobber]

Even worse: it funds the White House’s regime more, by a large margin

[master-lincoln]

You make it sound like a significant amount is going to Kreml but I assume the API cost for using Yandex from Kagi is neglectable and only a fraction of that goes to the Russian government. Isn't this more of a symbolic thing to request not cooperating with Russian companies?

[bilekas]

For some people it doesn’t matter how negligible. And it’s better to know and make up their own mind.

[simonklitj]

Damn, how so?

[microtonal]

A small percentage goes to Yandex because they use Yandex as an index: https://kagifeedback.org/d/5445-reconsider-yandex-integratio...

[sapphicsnail]

How so?

[coryrc]

I use ddg and haven't found better results from searching with google in a long time, but that might just be the kind of things I search for.

[beAbU]

I've been using ddg for years now, and it's heen probably 2 years since I needed to use the "!g" escape hatch.

Very very happy with it.

[andrew_lettuce]

Agree. Historically you would just not get any good results for a search and try Google, but these days it's more likely there just aren't any good results for your search period, regardless of engine. Funny enough that's when I've had better results asking chatgpt or similar because I'm typically after some sort of consensus or summary in those situations.

[Yizahi]

DDG is good enough that I've switched many year ago and never went back. Any time I use Google (!g) to repeat query (recently it's maybe a few times per year) it fails to show anything useful too, so I don't see any benefit to even check it lately.

[rurp]

Similar experience for me. I've been using DDG for years and while the quality has gone downhill somewhat I still rarely use !g because Google almost never has a useful result either if DDG strikes out.

[mark_l_watson]

Maybe have to pay for search? I am experimenting with paying Proton another $10/month for a paid lumo+ account. lumo+ is a private chat like ChatGPT that uses a strong Mistral model and also privacy-preserving web_search LLM tooling under the hood. For about a month I just use lumo+ with the web_search tool enabled. I may not do this forever, but for now I like just having one tool to use. Note: I still use gemini for technical work, but lumo+ for day to day chat and web search.

In the past I just use DuckDuckGo for most search, occasionally Google. That also worked well for me.

[MrDresden]

Kagi

[cess11]

Might want to try https://www.mojeek.com/ .

[fancy_pantser]

have you tried Kagi?

[axus]

It doesn't seem fair at all; though I'm glad to see it's not as bad as I feared (yet?).

> Hoping for some transparency, I left a single, polite comment asking for clarification on why the update was removed. Surprisingly, my forum account was banned shortly after posting that question.

[bootsmann]

Have you seen the code of OpenClaw? It would not surprise me if there is a mistake in there somewhere that causes the bot to hammer google auth for the refresh token in a very identifiable manner because noone in that repo is bothering to look at the code before merging. Moved fast, broke things.

[anon84873628]

I don't understand step 1. OAuth client applications have to be registered in GCP, right? They have to request specific scopes for specific APIs, and there is a review process before they can be used by the public. Did none of that happen for the Open Claw client? How is it the users' fault for clicking a "Sign in with Google" button? And if there was a mistake, why not ban the whole client?

I could see a problem with logging into Antigravity then exfiltrating the tokens to use somewhere else... But that doesn't sound like what happened. (And then how would they know?)

I haven't used Open Claw, so what else am missing to make this make sense?

[integralpilot]

To my understanding, OpenClaw pretends to be Antigravity by using the Antigravity OAuth client ID (and doesn't have its own), and then the takes the token Google returns to instead use with OpenClaw.

When I first tried OpenClaw and chose Google Sign-In, I noticed the window appeared saying "Sign into Google Antigravity" with a Google official mark, and a warning it shouldn't be used to sign into anything besides official Google apps. I closed it immediately and uninstalled OpenClaw as this was suspicious to me, and it was a relatively new project then.

It amazes me that the maintainer(s) allowed something like this...

[anon84873628]

Ah, ok. I guess there is no way for Google to prevent this since desktop apps are public clients that use PKCE.

I imagine Open Claw must also have registered the Antigravity custom URL scheme in order to receive the redirect.

Remaining question is how Google determines that traffic is not actually coming from Antigravity.

[overfeed]

> Remaining question is how Google determines that traffic is not actually coming from Antigravity.

Spiralling here: high volumes, and tool calls that are not typical for an agentic IDE.

[nfg]

If this is like the flow it uses for a codex / ChatGPT subscription it doesn’t even register a handler - the redirect opens as a 404 in your browser and there are instructions in copying the token from the query string!

[coffe2mug]

> OAuth client ID (and doesn't have its own), and then the takes the token Google returns to instead use with OpenClaw.

Still surprised.

Client ID ok.

But openclaw needs the secret also?

Does it also mean Antigravity did not restrict to specific applications?

[danpalmer]

Antigravity runs on your machine, the secret is there for the taking.

This is true of all OAuth client logins in this way, it's why the secret doesn't mean the same thing as it does with server to server login, you can never fully trust the client.

OAuth impersonation is nothing new, it's a well known attack vector that can't really be worked around (without changing the UX), the solution is instead terms of service, policies, and enforcement.

[andrew_lettuce]

>>it amazes me that the maintainer(s) allowed something like this...

Really? In today's landscape this is the part that surprises you? I'm seeing these types of decisions repeatedly and typically my only question is do they not know any better, or intentionally not care?

[fmbb]

1. Did a human really knowingly decide to allow that?

2. Did a human create the plugin?

3. Are the maintainers human?

By human I mean an animal that is intelligent enough to understand the agreements and what code they are writing.

[animuchan]

Most people aren't human then, sad.

[saalweachter]

I think Dune is easily a top ten franchise among computer people, so that sort of thing is nothing new.

[renegat0x0]

I think as a society we miss some kind of 'laws', or 'rules' around accounts and banning.

I feel that sometimes corporations have all 3 montesquieu powers. Google can define eulas, decide if you should be punished, and apply a ban.

Can a shop decide who to serve? I may be wrong, but big tech should not be able to 'just close' accounts, or demonetize accounts on their whim.

[RobotToaster]

> Why did openclaw allow Google anti gravity logins?

There's a good chance the plugin was written by gemini, why did it allow that?