chore(onboarding): add explicit account-risk warning for Gemini CLI OAuth and docs (#16683)

* docs: add account-risk caution to Google OAuth provider docs * docs(plugin): add Gemini CLI account safety caution * CLI: add risk hint for Gemini CLI auth choice * Onboarding: require confirmation for Gemini CLI OAuth * Tests: cover Gemini CLI OAuth risk confirmation flow
2026-03-12 07:20:45 +00:00 · 2026-02-26 15:25:42 -05:00
parent 764cd5a310
commit 5a453eacbd
5 changed files with 117 additions and 1 deletions
--- a/docs/concepts/model-providers.md
+++ b/docs/concepts/model-providers.md
@@ -104,6 +104,7 @@ OpenClaw ships with the pi‑ai catalog. These providers require **no**

 - Providers: `google-vertex`, `google-antigravity`, `google-gemini-cli`
 - Auth: Vertex uses gcloud ADC; Antigravity/Gemini CLI use their respective auth flows
+- Caution: Antigravity and Gemini CLI OAuth in OpenClaw are unofficial integrations. Some users have reported Google account restrictions after using third-party clients. Review Google terms and use a non-critical account if you choose to proceed.
 - Antigravity OAuth is shipped as a bundled plugin (`google-antigravity-auth`, disabled by default).
  - Enable: `openclaw plugins enable google-antigravity-auth`
  - Login: `openclaw models auth login --provider google-antigravity --set-default`
--- a/extensions/google-gemini-cli-auth/README.md
+++ b/extensions/google-gemini-cli-auth/README.md
@@ -2,6 +2,12 @@

 OAuth provider plugin for **Gemini CLI** (Google Code Assist).

+## Account safety caution
+
+- This plugin is an unofficial integration and is not endorsed by Google.
+- Some users have reported account restrictions or suspensions after using third-party Gemini CLI and Antigravity OAuth clients.
+- Use caution, review the applicable Google terms, and avoid using a mission-critical account.
+
 ## Enable

 Bundled plugins are disabled by default. Enable this one:
--- a/src/commands/auth-choice-options.ts
+++ b/src/commands/auth-choice-options.ts
@@ -242,7 +242,7 @@ const BASE_AUTH_CHOICE_OPTIONS: ReadonlyArray<AuthChoiceOption> = [
  {
    value: "google-gemini-cli",
    label: "Google Gemini CLI OAuth",
-    hint: "Uses the bundled Gemini CLI auth plugin",
+    hint: "Unofficial flow; review account-risk warning before use",
  },
  { value: "zai-api-key", label: "Z.AI API key" },
  {
--- a/src/commands/auth-choice.apply.google-gemini-cli.test.ts
+++ b/src/commands/auth-choice.apply.google-gemini-cli.test.ts
@@ -0,0 +1,86 @@
+import { beforeEach, describe, expect, it, vi } from "vitest";
+import { applyAuthChoiceGoogleGeminiCli } from "./auth-choice.apply.google-gemini-cli.js";
+import type { ApplyAuthChoiceParams } from "./auth-choice.apply.js";
+import { applyAuthChoicePluginProvider } from "./auth-choice.apply.plugin-provider.js";
+import { createExitThrowingRuntime, createWizardPrompter } from "./test-wizard-helpers.js";
+
+vi.mock("./auth-choice.apply.plugin-provider.js", () => ({
+  applyAuthChoicePluginProvider: vi.fn(),
+}));
+
+function createParams(
+  authChoice: ApplyAuthChoiceParams["authChoice"],
+  overrides: Partial<ApplyAuthChoiceParams> = {},
+): ApplyAuthChoiceParams {
+  return {
+    authChoice,
+    config: {},
+    prompter: createWizardPrompter({}, { defaultSelect: "" }),
+    runtime: createExitThrowingRuntime(),
+    setDefaultModel: true,
+    ...overrides,
+  };
+}
+
+describe("applyAuthChoiceGoogleGeminiCli", () => {
+  const mockedApplyAuthChoicePluginProvider = vi.mocked(applyAuthChoicePluginProvider);
+
+  beforeEach(() => {
+    mockedApplyAuthChoicePluginProvider.mockReset();
+  });
+
+  it("returns null for unrelated authChoice", async () => {
+    const result = await applyAuthChoiceGoogleGeminiCli(createParams("openrouter-api-key"));
+
+    expect(result).toBeNull();
+    expect(mockedApplyAuthChoicePluginProvider).not.toHaveBeenCalled();
+  });
+
+  it("shows caution and skips setup when user declines", async () => {
+    const confirm = vi.fn(async () => false);
+    const note = vi.fn(async () => {});
+    const params = createParams("google-gemini-cli", {
+      prompter: createWizardPrompter({ confirm, note }, { defaultSelect: "" }),
+    });
+
+    const result = await applyAuthChoiceGoogleGeminiCli(params);
+
+    expect(result).toEqual({ config: params.config });
+    expect(note).toHaveBeenNthCalledWith(
+      1,
+      expect.stringContaining("This is an unofficial integration and is not endorsed by Google."),
+      "Google Gemini CLI caution",
+    );
+    expect(confirm).toHaveBeenCalledWith({
+      message: "Continue with Google Gemini CLI OAuth?",
+      initialValue: false,
+    });
+    expect(note).toHaveBeenNthCalledWith(
+      2,
+      "Skipped Google Gemini CLI OAuth setup.",
+      "Setup skipped",
+    );
+    expect(mockedApplyAuthChoicePluginProvider).not.toHaveBeenCalled();
+  });
+
+  it("continues to plugin provider flow when user confirms", async () => {
+    const confirm = vi.fn(async () => true);
+    const note = vi.fn(async () => {});
+    const params = createParams("google-gemini-cli", {
+      prompter: createWizardPrompter({ confirm, note }, { defaultSelect: "" }),
+    });
+    const expected = { config: {} };
+    mockedApplyAuthChoicePluginProvider.mockResolvedValue(expected);
+
+    const result = await applyAuthChoiceGoogleGeminiCli(params);
+
+    expect(result).toBe(expected);
+    expect(mockedApplyAuthChoicePluginProvider).toHaveBeenCalledWith(params, {
+      authChoice: "google-gemini-cli",
+      pluginId: "google-gemini-cli-auth",
+      providerId: "google-gemini-cli",
+      methodId: "oauth",
+      label: "Google Gemini CLI",
+    });
+  });
+});
--- a/src/commands/auth-choice.apply.google-gemini-cli.ts
+++ b/src/commands/auth-choice.apply.google-gemini-cli.ts
@@ -4,6 +4,29 @@ import { applyAuthChoicePluginProvider } from "./auth-choice.apply.plugin-provid
 export async function applyAuthChoiceGoogleGeminiCli(
  params: ApplyAuthChoiceParams,
 ): Promise<ApplyAuthChoiceResult | null> {
+  if (params.authChoice !== "google-gemini-cli") {
+    return null;
+  }
+
+  await params.prompter.note(
+    [
+      "This is an unofficial integration and is not endorsed by Google.",
+      "Some users have reported account restrictions or suspensions after using third-party Gemini CLI and Antigravity OAuth clients.",
+      "Proceed only if you understand and accept this risk.",
+    ].join("\n"),
+    "Google Gemini CLI caution",
+  );
+
+  const proceed = await params.prompter.confirm({
+    message: "Continue with Google Gemini CLI OAuth?",
+    initialValue: false,
+  });
+
+  if (!proceed) {
+    await params.prompter.note("Skipped Google Gemini CLI OAuth setup.", "Setup skipped");
+    return { config: params.config };
+  }
+
  return await applyAuthChoicePluginProvider(params, {
    authChoice: "google-gemini-cli",
    pluginId: "google-gemini-cli-auth",