Security Vulnerabilities Discovered in Google's Antigravity IDE

ai-security

Critical security flaws in Google's Antigravity IDE, including remote code execution via prompt injection and data exfiltration, are detailed, highlighting inherited vulnerabilities and offering mitigations.

Google recently launched Antigravity, an Integrated Development Environment (IDE) built upon the Windsurf codebase, following a significant licensing agreement. This raised questions regarding whether previously reported vulnerabilities in Windsurf, identified prior to the acquisition, had been addressed in Antigravity. Investigations confirm that several of these known security flaws persist in the new IDE.

This analysis details five significant security vulnerabilities, including various data exfiltration vectors and remote command execution achieved through indirect prompt injection. While the continued presence of these known flaws in the product is surprising, Google has begun publicly documenting them following initial researcher reports. The primary objective of this post is to raise awareness and offer practical mitigation strategies, rather than to provide full exploit payload details.

The vulnerabilities discussed include:

  • Antigravity System Prompt
  • Issue #1: Remote Command Execution via Indirect Prompt Injection (Auto-Execute Bypasses)
  • Issue #2: Antigravity Follows Hidden Instructions
  • Issue #3: Lack of Human in the Loop for MCP Tool Invocations
  • Issue #4: Data Exfiltration via read_url_content tool
  • Issue #5: Data Exfiltration via Image Rendering
  • Recommendations and Mitigations

Antigravity System Prompt

The Antigravity system prompt for a typical session can be examined. This prompt, particularly in “Fast” mode, integrates tools from attached MCP (Managed Compute Platform) servers. Another early public disclosure of an Antigravity system prompt, likely from “Planning” mode, also exists.

Issue #1: Remote Command Execution via Indirect Prompt Injection (Auto-Execute Bypasses)

Antigravity IDE's default configuration allows the AI to execute Terminal commands via the run_command tool at its discretion, without human intervention. This poses a significant risk, as the AI's assessment of a command's safety is not a reliable security boundary. While simple commands like calc.exe might appear benign, more sophisticated attacks involving remote script loading (e.g., via curl) are often initially refused by models like Claude and Gemini 3. However, these refusals originate from the model's suggestions, not from robust security enforcement. Exploits have been developed to bypass these model-based guardrails, enabling arbitrary remote code execution within Antigravity, demonstrated with both Gemini 3 and Claude Sonnet 4.5.

The screenshot above illustrates a source code file containing instructions that hijack Gemini 3 to download and run a remote script via bash (which then launches a calculator). This demonstrates arbitrary code execution through a remote script, highlighting how Antigravity over-relies on the LLM to enforce security.

Issue #2: Antigravity Follows Hidden Instructions

Gemini models, especially Gemini 3, exhibit a remarkable ability to interpret invisible instructions. This behavior directly affects the Antigravity IDE, allowing attackers to embed hidden commands within code or data sources, invisible to users in the UI. When Antigravity processes this content and sends it to Gemini, the embedded instructions are followed, increasing the efficacy of covert attacks.

A demonstration involved a file with invisible instructions designed to print specific text and invoke run_command to download and execute malware, leveraging tools like ASCII Smuggler for encoding. The result, when the file enters the chat context, is presented below. This vulnerability is particularly concerning as code reviews are unlikely to detect such hidden directives.

This weakness, previously reported in earlier Gemini-based applications, remains unaddressed at the model and API levels, meaning all applications built on Gemini models inherit this critical flaw. The increasing sophistication of models like Gemini 3 Fast appears to further exacerbate this issue by frequently bypassing existing guardrails.

Issue #3: Lack of Human in the Loop for MCP Tool Invocations

A critical security control missing in Antigravity IDE is the 'human-in-the-loop' feature when invoking tools from an MCP server. This absence allows indirect prompt injection attacks or even AI hallucinations to trigger any added MCP tool automatically. Crucially, invisible Unicode Tag characters can also be embedded as instructions within source code or delivered via MCP tool calls. For instance, hidden instructions within a Linear ticket, when brought into the chat context by a developer using an MCP tool, can lead to the full compromise of the developer's workstation via remote code execution.

Again, this significantly increases the stealth and success rate of attacks, as they remain unnoticed by developers. The lack of consent for tool invocation can lead to data exfiltration, code execution, or data manipulation/deletion, depending on the tool's capabilities. Competitors like GitHub Copilot have implemented features to display MCP tool results to developers, allowing them to decide whether to include the data in the prompt context.

Current Mitigating Factors For MCP and Recommendations

While disabling individual tools is an option, a secure method for enabling dangerous tools is currently lacking. A potential improvement involves auto-approving readOnly tools while requiring human-in-the-loop for tools annotated with destructiveHint or openWorldHint. However, even readOnly tools can have data leakage side-effects, making automatic invocation exploitable. Therefore, allowing organizations to configure settings based on their specific risk appetite is essential.

Issue #4: Data Exfiltration via read_url_content

Antigravity IDE exhibits several data exfiltration vulnerabilities, many of which are inherited from Windsurf and have been known since at least May 2025. A primary concern is the read_url_content tool, which can be invoked without human intervention during an indirect prompt injection attack.

A demonstration exploit first uses the read_file tool to access sensitive files like .env, then exfiltrates their contents to an attacker-controlled server using read_url_content. It's important to note that attack payloads are not limited to source code files; they can originate from tool call responses (as seen with Linear tickets) or even be initiated by a compromised model.

Issue #5: Data Exfiltration via Image Rendering

The AI can also inadvertently leak data by rendering HTML images through markdown syntax. A data exfiltration scenario, reproducible from Windsurf, involves embedding a prompt injection exploit within a .c file. When Antigravity is instructed to explain this file, it invokes the read_file tool to access the developer's .env file and subsequently exfiltrates sensitive data to a third-party server by loading an image via an HTTP request. This vulnerability has been independently reported by multiple researchers, eliciting similar responses from Google.

Recommendations and Mitigations

Detailed video demonstrations are available, illustrating these scenarios and exploits. Several recommendations can help mitigate these security issues:

  • Exercise caution when enabling MCP servers and disable any dangerous tools.
  • The Antigravity development team should prioritize implementing human-in-the-loop controls by default for MCP servers, especially for destructive or consequential tools.
  • Develop CI/CD tooling to programmatically detect hidden Unicode Tags, as manual code reviews are ineffective against such prompt injection attacks.
  • Developers may consider using alternative IDEs until these vulnerabilities are resolved.
  • Disable the default “Auto-Execute” feature, opting for manual approvals and carefully whitelisting trusted Terminal commands.
  • Organizations widely deploying Antigravity should conduct Red or Purple Team exercises to identify detection and monitoring gaps.
  • Maintain readiness to use the “Stop” functionality to halt potentially malicious AI actions.
  • While “High thinking mode” and “planning” offer some resilience against adversarial misalignment (e.g., prompt injection), they are not foolproof solutions.

The evolution of Antigravity's security posture in response to these relatively straightforward bug fixes, which are crucial for a secure out-of-the-box experience, will be a key indicator.

Conclusion

This analysis revisited common vulnerabilities previously identified in Windsurf and discussed in earlier AI security reports. Regrettably, Google’s Antigravity IDE suffers from many of the same security flaws, with disclosures dating back to May 2025. While coding agents represent a significant technological advancement, their security implications must be taken seriously. More mature coding agents with established security and patching histories, such as Claude Code, GitHub Copilot, Cursor, Codex, and Google’s own Gemini CLI, offer alternatives, with some already supporting Gemini 3. Users and organizations should remain vigilant for official Antigravity CVEs and security updates.