Prompt Injection Meets File System Access: How Google's Antigravity IDE Became a Code Execution Gateway

Original research reported by The Hacker News. CypherByte analysis and commentary are independent and represent our own threat intelligence assessment.

Executive Summary

Cybersecurity researchers have uncovered and responsibly disclosed a significant vulnerability chain in Google's Antigravity, the company's agentic integrated development environment (IDE). The flaw — now patched — demonstrates how the expanding attack surface of AI-assisted development tooling can be exploited when two individually modest weaknesses are combined: a permitted file-creation capability and an insufficient input sanitization flaw in Antigravity's native find_by_name file-searching tool. Together, these weaknesses allowed an attacker to bypass Antigravity's Strict mode protections and achieve arbitrary code execution within the IDE's environment. This is not a theoretical edge case — it is a practical, demonstrable attack path against a tool designed to operate with elevated autonomy on developer machines.

Who should care: This vulnerability is immediately relevant to enterprise security teams managing developer workstations, DevSecOps practitioners governing AI-assisted tooling, and platform security architects evaluating agentic AI products. As organizations accelerate adoption of agentic IDEs and AI coding assistants — tools that, by design, can read files, write files, execute commands, and call external services — the attack surface for prompt injection and tool-abuse chains is growing faster than the defensive frameworks designed to contain them. Antigravity represents a bellwether. The same vulnerability class will appear again, in different products, with potentially less responsive disclosure timelines.

Technical Analysis

At its core, this vulnerability is a prompt injection attack that weaponizes the agent's own tooling against itself. To understand the mechanics, it helps to understand what agentic IDEs like Antigravity are designed to do. Unlike traditional IDEs, agentic environments allow an underlying large language model (LLM) to autonomously invoke tools — file operations, search functions, shell commands, external API calls — in pursuit of a developer-specified goal. Strict mode in Antigravity was designed to function as a guardrail, restricting the scope of what the agent could do autonomously without explicit user confirmation.

The attack chain works as follows. First, an attacker — or a malicious file already present in the workspace, potentially introduced via a compromised dependency or repository — crafts a file containing an injected prompt payload. This payload is designed to be consumed by the Antigravity agent when it processes workspace content. Second, when the agent invokes the find_by_name tool to search for files matching a given pattern, the tool fails to adequately sanitize its input or the content it returns to the agent's context window. This unsanitized content becomes part of the agent's active reasoning context. Third, the injected prompt instructs the agent to use its permitted file-creation capability as a stepping stone — writing a file whose contents or name are themselves executable, or whose creation triggers downstream execution within the IDE's runtime. The Strict mode bypass is the critical unlock: because the injected instructions arrive through the agent's trusted tool-call pipeline rather than as direct user input, the mode's enforcement logic fails to flag or block the operation.

The elegance — and the danger — of this chain is that no single component is catastrophically broken in isolation. File creation is a legitimate, necessary capability. find_by_name is a standard utility function. Strict mode is a real control. The vulnerability emerges entirely from the intersection of these components and the implicit trust the agent places in data returned by its own tools. This is a textbook demonstration of what security researchers call a confused deputy problem in the context of LLM tool orchestration: the agent acts on behalf of an attacker because it cannot distinguish between legitimate tool output and adversarially crafted content masquerading as tool output.

Impact Assessment

Affected systems include any developer or team running an unpatched version of Google's Antigravity IDE with the agent's file-access capabilities enabled. Given that Antigravity is designed for use on developer workstations — machines that typically hold source code, credentials, SSH keys, cloud provider tokens, and access to internal build systems — the blast radius of a successful exploitation is significant. Code execution in this context is not merely a sandbox escape; it is a foothold into some of the most sensitive and privileged environments in a modern organization.

Real-world consequences of exploitation include: exfiltration of source code and intellectual property, theft of developer credentials and secrets stored in the workspace or accessible via the IDE's environment, injection of malicious code into the project under development (a supply chain attack vector), lateral movement via SSH keys or cloud credentials present on the developer machine, and persistent access through modifications to configuration files, startup scripts, or CI/CD pipeline definitions. The supply chain implications are particularly concerning: a developer running an affected version of Antigravity on a project with a single malicious file — potentially introduced through a compromised open-source package — could unknowingly become both victim and vector, with the agent autonomously introducing backdoors into production-bound code.

CypherByte's Perspective

This vulnerability should be read as a structural warning about the agentic AI development paradigm, not merely as a product-specific bug to patch and move on from. The security industry has decades of hard-won knowledge about sanitizing inputs, enforcing least-privilege, and auditing trust boundaries in traditional software. That knowledge is being systematically under-applied as organizations rush to deploy agentic AI tooling. When an LLM agent can read files, write files, execute code, and call external services — and when its reasoning is influenced by the content it processes — every piece of data the agent touches becomes a potential attack surface.

The Strict mode bypass is particularly instructive. Security controls that operate at the user-intent layer — intercepting what a user explicitly asks the agent to do — are fundamentally weaker than controls that operate at the capability layer, enforcing what the agent is architecturally able to do regardless of instruction. Organizations evaluating agentic IDEs should be asking hard questions: Can this agent be instructed by content it reads? Does the tool pipeline sanitize returned data before it enters the model context? Are capability restrictions enforced at the API or permission level, or only at the prompt layer? Google's responsive patching here is commendable, but the underlying vulnerability class — prompt injection via trusted tool output — is not patched away. It is a design challenge the entire industry needs to address with architectural rigor.

Indicators and Detection

Defenders and security teams should look for the following indicators of potential exploitation or probing activity related to this vulnerability class:

• Anomalous file creation events originating from IDE agent processes, particularly files with executable extensions (.sh, .py, .js, .bat) or files created in startup, configuration, or CI/CD pipeline directories without corresponding developer action in version control.

• Unexpected outbound network connections from IDE processes, especially to unfamiliar endpoints shortly following a find_by_name tool invocation or file-indexing operation.

• Agent activity logs (where available) showing find_by_name calls followed immediately by file-write operations in the same session, without a clear corresponding user prompt initiating that workflow.

• Workspace files containing prompt-like natural language instructions embedded in code comments, README files, or configuration files, particularly instructions referencing agent capabilities, tool names, or attempting to override operational modes.

• Version control anomalies: commits attributed to the developer that the developer does not recognize, particularly modifications to .github/workflows, Makefile, deployment scripts, or dependency manifests.

Recommendations

CypherByte recommends the following specific actions for security teams and organizations using or evaluating agentic IDE tooling:

1. Patch immediately. If your organization uses Google Antigravity, verify that the patched version is deployed across all developer workstations. Consult Google's official advisory for specific version information and update instructions. Do not rely on Strict mode as a compensating control until you have confirmed you are running the patched build.

2. Audit agentic tool permissions. For any agentic IDE or AI coding assistant in use, inventory the tools available to the agent. Apply the principle of least privilege: disable tools the agent does not need for its defined workflows. File creation, shell execution, and network access capabilities should each be individually justified and documented.

3. Treat workspace content as untrusted input. Enforce code review policies that flag files containing natural language instructions, particularly in dependency manifests, configuration files, and documentation. Consider integrating prompt injection detection into pre-commit hooks or CI/CD pipeline scanning stages.

4. Isolate developer environments. Run agentic IDE tools in sandboxed or containerized environments where possible, with explicit restrictions on access to credentials, SSH keys, and cloud provider configuration files. Host-based controls should enforce that IDE agent processes cannot access ~/.ssh, ~/.aws, ~/.config, or equivalent credential stores.

5. Implement agent activity logging and alerting. Where the agentic IDE supports it, enable detailed logging of tool invocations and file operations. Route these logs to your SIEM and establish alerts for the behavioral indicators described above. Absence of visibility into agent behavior is itself a risk.

6. Establish a vendor security evaluation framework for agentic AI tools. Before deploying any agentic IDE or AI assistant to production developer environments, require vendors to document their prompt injection mitigations, tool input sanitization practices, and capability enforcement architecture. This vulnerability demonstrates that marketing-layer security claims (e.g., "Strict mode") must be backed by architectural evidence, not just documentation.

Source credit: Original vulnerability reporting by The Hacker News. CypherByte's analysis is based on publicly available information and our independent threat intelligence assessment. We will update this article as additional technical details are disclosed.