Google patches Antigravity flaw that allowed prompt injection

Google patched a vulnerability in its Antigravity AI coding environment that let attackers run commands on a developer’s machine by injecting input into the find_by_name file-search tool. Google marked the issue fixed on Feb. 28 after researchers from Pillar Security reported the flaw.

Pillar Security found that the find_by_name tool passed user input directly to an underlying command-line utility without validating it. Malicious input could be interpreted as a shell command instead of a search query. To demonstrate the issue, researchers created a test script in a project workspace and triggered it through the search tool; when executed, the script opened the computer’s calculator application.

The vulnerability could support a multi-step attack because Antigravity can create files as an allowed action. An attacker could stage a malicious script in a project and then trigger it via the search function without further user interaction, according to Pillar Security. The firm reported the issue to Google on Jan. 7, and Google acknowledged the report the same day.

Pillar Security wrote: “The industry must move beyond sanitization-based controls toward execution isolation. Every native tool parameter that reaches a shell command is a potential injection point. Auditing for this class of vulnerability is no longer optional, and it is a prerequisite for shipping agentic features safely.”

Prompt injection attacks embed hidden instructions in files or text so an AI tool treats them as legitimate directives. Developer tools that read README files, license texts or other project documents during normal operations can process those hidden instructions and perform actions without additional user prompts.

Google’s update removed the specific find_by_name injection vector. Pillar Security recommended auditing agentic features and isolating execution paths for any tool parameters that reach shell commands to prevent similar vulnerabilities.