Google restricting Google AI Pro/Ultra subscribers for using OpenClaw

So purely from a hacker perspective, I'm amused at the whining.

Like, a corporation had a weakness you could exploit to get free/cheap thing. Fair game.

Then someone shares the exploit with a bunch of script kiddies, they exploit it to the Nth degree, and the company immediately notices and shuts everyone down.

Like, my dudes, what did you think was going to happen?

You treasure these little tricks, use them cautiously, and only share them sparingly. They can last for years if you carefully fly under the radar, before they're fixed by accident when another system is changed. THEN you share tales of your exploits for fame and internet points.

And instead, you integrate your exploit into hip new thing, share it at scale, write blog posts and short form video content about it, basically launch a DDoS against the service you're exploiting, and then are shocked when the exploit gets patched and whine about your free thing getting taken away?

Like, what did you expect was going to happen?

Additional information from Google employee https://x.com/_mohansolo/status/2025766889205739899 :

"We’ve been seeing a massive increase in malicious usage of the Anitgravity backend that has tremendously degraded the quality of service for our users. We needed to find a path to quickly shut off access to these users that are not using the product as intended. We understand that a subset of these users were not aware that this was against our ToS and will get a path for them to come back on but we have limited capacity and want to be fair to our actual users."

So the timeline is basically

* User uses Google oauth to integrate their open claw

* user gets banned from using Google AI services with no warning

* user still gets charged

If you go backwards, getting charged for services you can't access is rough. I feel sorry for those who are deeply integrated into Google services or getting banned on their main accounts. It's not a great situation.

Also, getting banned without warning is rough as well. I wonder if the situation will be different for business accounts as opposed what seems like personal accounts?

The ban itself seems fair though, google is allowed to restrict usage of their services. Even though it's probably not developer friendly, it's within their rights to do so.

I guess there's some level of post mortem to do on the openclaw side too.

* Why did openclaw allow Google anti gravity logins?

* The plugin is literally called "google-antigravity-auth", why didn't that give the signal to the maintainers?

* Why don't the maintainers, for an integration project, do due diligence checks on the terms of service of everything you're integrating with?

This is draconian.

> Our investigation specifically confirmed that the use of your credentials within the third-party tool “open claw” for testing purposes constitutes a violation of the Google Terms of Service [1]. This is due to the use of Antigravity servers to power a non-Antigravity product. I must be transparent and inform you that, in accordance with Google’s policy, this situation falls under a zero tolerance policy, and we are unable to reverse the suspension. I am truly sorry to share this difficult news with you.

I don't know why people here can't accept the simple fact that AI companies are offering cheap "unlimited" plans as a loss leader to tie you to their ecosystem, and then make up for it via add-ons, upsells, ads etc. If you use those API tokens to access external services it defeats the purpose. The hack may have worked so far, mainly because no one was checking, but they are all going to tighten the access eventually (as Anthropic and Google have already done).

Either stick to first party products or pay for API use.

Google's Pro service (no idea about ultra and I have no intention to find out) is riddled with 429s. They have generous quotas for sure, but they really give you very low priority. For example, I still dont have access to Gemini 3.1 from that endpoint. It's completely uncharacteristic of Google.

I analyzed 6k HTTP requests on the Pro account, 23% of those were hit with 429s. (Though not from Gemini-CLI, but from my own agent using code assist). The gemini-cli has a default retry backoff of 5s. That's verifiable in code, and it's a lot.

I dont touch the anti-gravity endpoint, unlike code-assist, it's clear that they are subsidizing that for user acquisition on that tool. So perhaps it's ok for them to ban users form it.

I like their models, but they also degrade. It's quite easy to see when the models are 'smart' and capacity is available, and when they are 'stupid'. They likely clamp thinking when they are capacity strapped.

Yes the models are smart, but you really cant "build things" despite the marketing if you actively beat back your users for trying. I spent a decade at Google, and it's sad to see how they are executing here, despite having solid models in gemini-3-flash and gemini-3.1

I'm very confused here. The monthly plans are meant to be used inside of Google's walled garden, but people are somehow able to capture (?) and re-use the oAuth token?

Regardless, I thought it was pretty obvious that things like OpenClaw require an API account, and not a subsidized monthly plan.

This is the first time in recent memory that software has had high variable costs so the surprise at these rules is understandable.

In this case, a the difference in context cache hit rate between openclaw and antigravity.

For example if openclaw starts every message with the current time hh:mm:ss at the top of the context window, followed by the full convo history, it would have a cache hit rate if ~0. Simply moving the updated time to each new message incrementally would increase hit rate to over 90%. Idk if openclaw does this but there’s many many optimizations like this. And worse, thrashing the cache has non linear effects on the server as more and more users’ cached contexts get evicted from cache due to high cardinality. The cost to serve difference could be >10x.

Google is the furthest behind on coding agent adoption and has all the incentives to allow off policy use to grow demand. But it would probably be better to design their own optimized openclaw and serve that for free than let any unoptimized requests in.

I don't understand how this can be enforced without ridiculous levels of false positives. I'm truly baffled. The same with Claude Code situation.

gemini-cli, claude-code, codex etc, they ALL have a -p flag or equivalent, which is non-interactive IO interface for their LLM inference.

If I wire my tooling (or openclaw) to use the -p flag (or equivalents), is that allowed?

Okay, maybe they get rid of the -p flag and I have to use an interactive session. I can then just use OS IO tooling to wire OpenClaw with their cli. Is that allowed?

How does sending requests directly to the endpoints that their CLI is communicating with suddenly make their subsidized plans expensive? Is it because now I can actually use my 100% quota? If that's so, does it mean their products are such that their profitability stands on people not using them?

What is even going on?

If you go to an all you can eat buffet, ignore the plates they give you, and start filling up your own takeaway boxes with days worth of food, you'd expect to be kicked out.

No one would think this is unreasonable. You're not paying for unlimited food forever, you're paying for all you can eat in the restaurant right there.

Of course Google can restrict how their API is accessed. But locking paid accounts with no warning, no explanation email, and no functioning support path while continuing to charge $249/month is a different problem entirely. A reasonable enforcement process would have been a warning email, grace period to stop using the tool, then restriction.

What an awful way to lose trust, locking out their users but billing them all the same.

Google, unlike all their competitors, actually give Cloud API credits to all paying users of AI Pro and AI Ultra [1] - just use those for direct Gemini/Vertex API access instead of trying to hack the OAuth of Google's apps.

[1] https://blog.google/innovation-and-ai/technology/developers-...

> Product usage subsidized by company, $100. Users inevitably figure out how to steal those subsidies, agents go brrrrr. Users mad that subsidy stealing gets cut off and completely ignore why they need to rely on subsidies in the first place, priceless.

https://news.ycombinator.com/item?id=47073097

I'd like to add, that's "priceless" for "them" and not for you.

Google deciding to willy nilly unilaterally ban my 20+ year old primary Google account is probably my greatest internet fear, given how famously awful their support is. Seems like it's the singular best example of a tech company so big that through some combination of internal silos and TOS bureaucracy you have no shot of getting your account back, no matter how unreasonable the ban actually is.

A while back I made completely separate Google accounts for YouTube and Maps just so my longstanding Gmail account wouldn't get banned if the system somehow detected that my Youtube account for example breached Google's TOS.

the ToS enforcement itself is defensible -- consumer plans vs API access really are different unit economics. what's not defensible is permanent ban with zero appeal path for paying subscribers. that's a product failure. if you're charging /mo you should at minimum have a 'we caught you, stop it or we'll close the account' step before 'account gone forever, sorry'.

So a Google AI pro/ultra account is intended to be used from their cli or tools (like their open-gravity agent front end).

Their API usage isn't included in these plans, although under the hood open-gravity uses the API.

People have been using the API auth credential intended for anti-gravity with open claw, presumably causing a significant amount of use and have been caught.

The Google admin tools and process haven’t quite been able to cope with this situation and people have been overly banned with poor information sent to the them.

I don’t think either OpenAI or Anthropic any API use in their ‘pro’ plans either?

This reminds me of the customers of “unlimited broadband” of yesteryear getting throttled or banned for running Tor servers.

This is exactly what happens when there's no accountability infrastructure for AI agents.

Google's response is to restrict access — a blunt instrument that punishes legitimate users because they have no way to verify which agents were behaving correctly and which weren't.

The real fix isn't restrictions, but cryptographic behavioral commitments — agents declare what they'll do before execution, and any third party can verify compliance after. We don't need gatekeepers. We need verification.

I've been building this: https://github.com/agbusiness195/NOBULEX

This feels like the early days of ISPs throttling VPN traffic. You're paying for a service with certain capabilities, then getting restricted for actually using those capabilities through a different interface.

The fundamental question is: if I'm a paying subscriber, why does it matter whether I access the model through your web UI or through an API wrapper? The compute cost is the same either way.

I suspect the real concern isn't usage volume but data pipeline control. When users interact through the native UI, Google gets structured interaction data. Through third-party tools, they lose that feedback loop.

Edit: I have misread some of the comments here, he didn't lose access to his whole account and data just the antigravity part. I should've done my due diligence, get out of bed and spent more time thinking instead of emotionally reacting. Guess the rage machine got me as well. Damn. I think this thread might be hijacked by ai bros.

The main point still stands, google is part of a duopoly that runs the world. You can't be a functional member of society without them. They're like a public utility and plays too big of a role in people's life to take decisions based on unknown internal policies. They're long overdue for a government intervention or for splitting up.

Why can third party application log on with OAuth if it is not allowed? Shouldn't it be really straightforward for google to not allow the OAuth when the requesting app is not a google app?

People seem to be continuously outraged by these AI subscriptions banning third party use. However, the usage patterns of the intended apps likely differ hugely from those of the third party ones.

For example, basically every first party agent harness aggressively caches the input tokens to optimise inference, something that third party harnesses often disgregard, or are fundamentally incompatible with as they switch agents for subtasks and the like.

To extend this use case though, how much do poeple expect to be able to use the internal API's of the apps they subscribe to?

If I buy an Uber One subscription, am I then justified reverse engineering the gazeteer API from the app and reusing it in other apps I use? What about the speech to text API MS Teams must use for transcribing meetings as part of a business standard subscription?

I think these are obvious and emphatic breaches that no reasonable person would expect to be justified in, maybe miffed if your clever hack gets banned, but being banned would be considered fair play.

I fail to see the distinction.

Same for using OpenCode.

https://github.com/jenslys/opencode-gemini-auth/issues/50

https://github.com/NoeFabris/opencode-antigravity-auth/issue...

https://github.com/jenslys/opencode-gemini-auth/issues/50

Some additional discussion on Reddit: https://old.reddit.com/r/google_antigravity/comments/1r2hnn8...

I'll admit to knowingly taking advantage of Google's pricing, but I had assumed it was within a gray area. No warning bans are insane.

Everyone's debating whether Google's TOS is fair.

The real issue is that we're building entire development workflows on subsidized inference that was never priced to be used this way.

OpenClaw burns tokens at a rate these $200/month plans were never designed for.

The fix isn't nicer ban policies, it's either honest API pricing or local models good enough for the job.

The 0.5B-3B parameter range is already surprisingly capable for code analysis tasks.

That's where this is heading whether Google likes it or not.

Ai has really struggled for a strong/kill-app use case for which supports such enormous humongous historical investments (TRILLIONS)

It looks like its been found. The irony is, these model providers are now saying : "not like that!"

I have never let openclaw touch my Google Account. I have used it only a few times using OpenCode and still my account was banned for violating ToS. Took me a while to figure it out because antigravity never shows you the specific error that occurred, just a simple "Something went wrong". They really should be more transparent about this, at least anthropic makes it clear upfront.

An AI company restricting the access of AIs to their AI.

Exactly my kind of humor.

Yup. Last week my Ultra account got ToS-banned from both the Gemini CLI and Antigravity simply for using OpenCode. Try as I might, I haven't been able to resolve the issue. I can technically still use the Gemini web/app, but it's remarkably terrible in just about every conceivable way. A truly impressive feat in itself.

That is presumably the end game - monthly subscription in a walled garden app while they have your balls in a vice grip and can squeeze however many dollars you’ll bear

I bet Google is thankful that anthropic took one for the team by going first.

Also if it wasn’t for Chinese providers we’d basically already be in triopoly.

Perplexity had a ban wave this weekend too

a preview of things to come, when the entire software trade is reliant on these third party services

all hosted by companies so huge they consider your $200/month to be an annoyance

rather than something valuable

TOS is TOS and if there is one company not to mess with it's Google because they don't give 2 shits about you. Going straight to a ban with 0 warning and 0 appeal possibility is exactly why I'll never use googles AI chat/coding products, it's just not worth the risk getting banned and losing access to other google services.

Wow, and I was complaining about Anthropic handling their comms.

For almost a trillion-dollar company, this is the worst customer experience I've ever seen. Departments sending poor guy to each other like a hot potato. Huge aura loss.

I used the pay as you go from google with openclaw for about one hour, then checked the next day and it cost me $7. It was the latest flash preview model. I can't justify the cost right now. At least I won't get banned though.

Yann Lecun warned that closed sourced models are the only true danger we are facing with LLMs (answering a question about "Will AI turn into Terminator" type of question).

He was right.

Is there any restrictions if you use something like OpenRouter?

So what is a "good-enough" model to use for OpenClaw now that the subscriptions are blocked. Is there an all you can eat subscription model that can be used?

Every day Google shows its true evil nature. So here clearly they want to offset competitors. That's the true agenda. We saw this when Google crippled ublock origin and then claimed the extension is "harmful", merely because it threatens Google's greed-income via ads.

Who here reads the full terms of service of every Google product they use? The fact that they disabled the whole Google account without warning is damning.

They could have easily just blocked the Gemini / Antigravity use and and/or sent a "final warning" kind of email beforehand.

If I was an investor in an AI provider I would be quite worried.

1) Switching between LLM API:s is incredibly easy if you are not concerned with differences in personality. As the models get better, it is less important to pick the best one.

2) The products built to bundle the API with a user experience are difficult to build on a level that outclasses open source alternatives.

3) Building an understanding of the user to increase the product value over time and create stickiness is effective, but imho less effective over time as time passes and the user changes. For example, I suspect that these adaptations have a hard time to unlearn things that are no longer true. Learning about the user opaquely is less useful to the user and doing it overtly makes it easier to take the learnings and go. (Besides, it is probably not legal under the GDPR to not let the user export the learnings and take them to another provider.)

Taken together, the moat becomes quite shallow. I see why they aggressively ban any tools demonstrating when open alternatives are in fact better than their own walled gardens.

edit: readability.

Sad, but inevitable. I guess only openai allows for this kind of usage now and copilot?

The only reason the subs are worth it to them, is to get you into their toolchain. It sucks but inevitable

It makes some sense. Some of the skills are malware, and google absolutely has the power to detect it by inspecting LLM I/O. If Google suspects that google account credentials have been compromised (via connecting to a malicious "integration"), it is rational to freeze the account (as opposed to letting the threat actors ride with the credentials they've stolen)

It's the old playbook again. They're using massive money to distort the market until the competition is bled dry while also operating the platform and using signal from the platform to target their competitors, classic DMA violation really. This all boils down to Chinese vendors getting banned from the market for "national security reasons" because if not, this all dies in a fire for Google investors. Nothing a gold pixel phone to the right places can't fix

Clearly the demand for special claw plans is right there. (eg Kimi.com already has plans with a one-click claw install included. I thought one or two others too)

It would be fun if Google lost its months of edge in the LLM value race because it alienated early adopters paying $250/month by using a 0-strike system with no customer support.

Looks like they are banning for using Gemini CLI / antigravity (subscription) endpoints instead of using Gemini API (pay as you go) endpoints.

It was already pretty restricted due to ludicrous rate limiting. I tried it just for fun with my Pro account and it was unusable. It couldn't do tasks properly without hitting rate limit, every other prompt.

Glad I saw this. I just installed openclaw on a fly.io machine to test out and planned to use my pro account.

Well, better start separating out your Google accounts.

Don't want to risk losing access to your Google Photos, Drive, Gmail, etc.

Although from a brief read, it seems the user still has access to other Google services.

Well, better start segregating for Google accounts.

Don't want to risk loosing access to your Google Photos, Drives, Gmail, etc.

Although at a brief read, it seems the user still have access to other Google services.