Pillar Security — Google Antigravity Sandbox Escape via Prompt Injection

AI relevance: Google's Antigravity agentic IDE has a prompt injection flaw that completely bypasses its Secure Mode sandbox, proving that "secure" AI configurations can still deliver root-level RCE when native tool parameters aren't validated.

What happened

• Pillar Security researcher Dan Lisichkin disclosed a vulnerability in Google Antigravity, Google's AI-powered developer IDE for filesystem operations.
• The bug lives in the find_by_name tool, which wraps the fd file-search utility. Its Pattern parameter is passed directly to the underlying shell command without sanitization or -- argument termination.
• An attacker injects the -X (exec-batch) flag through the Pattern parameter, forcing fd to execute arbitrary binaries against matched workspace files.
• Because Antigravity can create files as a permitted action, the full attack chain is: stage a malicious script in the workspace, then trigger it via a crafted find_by_name call.
• Critically, find_by_name is classified as a "native tool" — not a shell command — so it executes before Secure Mode's command-level restrictions are evaluated. The security boundary never sees the call.
• This means attackers achieve arbitrary code execution under the exact configuration (Secure Mode) that security-conscious users rely on to prevent it.
• The prompt injection can be delivered indirectly through malicious files or web content the agent ingests — no elevated access required.
• Google patched the issue on February 28 after a January 6 report and awarded a bug bounty.

Why it matters

• Antigravity's Secure Mode is the strictest security posture Google offers for the product, and it was completely bypassed without triggering any of its controls.
• This follows a pattern seen across coding agents: native tools designed for constrained operations become weaponizable when their parameters aren't strictly validated.
• Pillar notes the same issue pattern has been found in other coding AI agents, including Cursor.
• The finding reinforces that sanitization-based controls alone are insufficient for agentic AI — every native tool parameter that reaches a shell command is a potential injection point.

What to do

• If you run Antigravity, ensure you're on the patched version released after February 28.
• Audit all agentic IDEs and AI tools you use for native tools that pass unvalidated parameters to underlying system commands.
• Apply the defense-in-depth model: assume any unvalidated input — including file contents the agent reads — can become a malicious prompt.
• For teams building agent tools: always use -- argument termination and validate parameters against expected character sets before passing to subprocess calls.

Sources

• Pillar Security — Prompt Injection leads to RCE and Sandbox Escape in Antigravity
• CyberScoop — Vuln in Google's Antigravity AI agent manager could escape sandbox