Google Restricts AI Ultra Accounts Over OpenClaw OAuth
Google locked AI Ultra subscribers out of Gemini models for using OpenClaw OAuth, with no warning or explanation. Anthropic banned third-party access two days earlier.
Google restricted AI Ultra accounts that accessed Gemini models through OpenClaw, a third-party OAuth client. No warning. No explanation. Users paying $249.99 per month lost access to Gemini 2.5 Pro, and in some cases faced restrictions on Gmail and Workspace.
The timing matters: Anthropic updated its terms to ban OAuth token usage in third-party tools just two days earlier. Same calculation, same week.
Key facts:
- AI Ultra subscribers lost Gemini access after connecting through OpenClaw OAuth
- Restrictions arrived with no TOS violation cited, no human support available
- Google account restrictions can cascade from AI products to Gmail, Workspace, cloud storage
- Anthropic explicitly banned OAuth tokens from Claude subscriptions in third-party tools on Feb 20
- OpenClaw has 21,639 exposed instances and five CVEs patched between Jan 25-30
Token arbitrage broke the economics
The crackdown centers on what Anthropic engineer Thariq Shihipar called token arbitrage. AI providers price subscriptions as all-you-can-eat plans with usage expectations built in. Third-party agent frameworks like OpenClaw shattered those assumptions by routing tokens through automated, high-throughput workflows.
Anthropic’s updated terms make the rule explicit: OAuth tokens from Claude Free, Pro, and Max accounts work only in Claude Code and Claude.ai. Using them elsewhere violates Section 3.7, which technically forbade this since February 2024 but went unenforced until the economics forced action.
OpenCode, another third-party tool, pushed a commit Thursday removing Claude Pro and Max support, citing “anthropic legal requests.”
Google took a blunter approach — just started restricting accounts. No updated terms. No public statement. Forum users reported automated rejection emails when appealing. One developer described trying to create a fresh Google account only to see it restricted immediately.
Varun Mohan, Antigravity’s creator at Google DeepMind, mentioned in the forum thread that the team is looking into the situation. But no timeline or policy clarification has emerged.
Security risks compounded the problem
OpenClaw’s security record added pressure. Censys identified 21,639 exposed instances on the public internet as of January 31. SecurityScorecard found hundreds of thousands more carrying potential remote code execution risks.
Infostealers already adapted. Hudson Rock disclosed a Vidar variant that exfiltrated a user’s full OpenClaw configuration — gateway tokens, cryptographic keys, and the agent’s soul.md instruction file. The malware wasn’t even targeting OpenClaw specifically. A broad file sweep accidentally captured the entire operational context.
Then ClawHavoc: a supply chain attack using professional-looking skills uploaded to ClawHub, OpenClaw’s plugin marketplace. The “helper agent” actually deployed Atomic Stealer, giving attackers remote control over the victim’s instance and every connected service.
What changed for developers
Short-term: stop using third-party OAuth clients with AI subscriptions. Revert to native interfaces or consider API key access with per-token pricing.
Longer-term: the trust calculation shifted. Choosing an AI platform now includes weighing the risk that a provider will retroactively restrict how you access what you’ve paid for.
OpenAI is the outlier — hiring OpenClaw creator Peter Steinberger and endorsing third-party harness usage. That looks generous. It might also be a bet that owning the developer relationship matters more than protecting subscription margins.
For Google’s AI Ultra subscribers, the forum thread at the top keeps growing. Google still hasn’t issued a public statement. No affected user has reported a restored account.