Google patched Antigravity sandbox escape bug after prompt injection research

by

Google patched a vulnerability in its Antigravity AI developer tool after Pillar Security found that prompt injection and a permitted file-creation capability could lead to remote code execution and a sandbox escape, according to a technical analysis from Pillar Security.

KEY FACTS

  • Impact The flaw could let an attacker gain remote code execution privileges.
  • Security mode It bypassed Antigravity secure mode, Google’s highest security setting for agents.
  • Timeline Pillar Security reported the bug on Jan. 6 and Google patched it on Feb. 28.
  • Trigger Prompt injection could arrive through compromised accounts, malicious files or web content the agent ingests.

The report said the exploit worked because one file-searching tool, called find_by_name, was treated as a native system tool. That allowed the agent to run it directly before Secure Mode could evaluate the command.

In that setup, the security boundary never saw the call, according to the disclosure. The researchers said the issue showed how unvalidated input can be interpreted as instructions by autonomous agents.

Secure Mode is designed to route command operations through a virtual sandbox, throttle network access and prevent the agent from writing outside the working directory. Google also awarded a bug bounty for the disclosure.

WHY IT MATTERS

The case highlights how AI agents can turn ordinary files or web content into an attack path if they cannot separate data from instructions. It also suggests that security controls for agentic systems may need to go beyond sanitization and similar checks.