Antigravity prompt injection and sandbox escape: are controls enough?

TL;DR: A prompt injection in Google’s Antigravity agentic IDE can turn the find_by_name tool’s Pattern parameter into arbitrary code execution by injecting fd flags, bypassing Secure Mode because the call is treated as a native tool invocation, according to Pillar Security researchers. The deeper issue is that shell-facing parameters in agentic tools create execution paths that security boundaries may never see, so sanitisation alone is not enough.

NHIMG editorial — based on content published by Pillar Security: Prompt Injection leads to RCE and Sandbox Escape in Antigravity

Questions worth separating out

Q: What breaks when prompt injection reaches native tools in an agentic IDE?

A: The usual separation between search, preview, and execution breaks down.

Q: Why do sandbox controls fail against native tool abuse?

A: Sandboxing often protects shell commands after dispatch, but native tool calls may execute earlier in the agent’s flow.

Q: How should security teams reduce risk from agentic IDE tool chains?

A: They should review every tool that can touch files, invoke utilities, or change execution state as a single workflow.

Practitioner guidance

• Map native tool paths to execution risk Inventory every agentic IDE tool that forwards parameters to shell-backed utilities, and mark those paths as privileged execution surfaces.
• Block flag injection before command construction Reject tool parameters that begin with hyphens or contain shell-control syntax before any downstream binary sees them.
• Separate workspace writes from execution-capable tools Treat file creation, file discovery, and execution-adjacent utilities as a combined abuse path.

What's in the full article

Pillar Security's full research covers the operational detail this post intentionally leaves for the source:

• The exact proof-of-concept parameter values used to turn find_by_name into code execution
• The disclosure timeline and product response details that show how the issue moved through triage and fix
• The full discussion of indirect prompt injection through untrusted repository content
• The side-by-side comparison with prior agentic IDE findings that illustrates the repeating pattern

👉 Read Pillar Security's analysis of prompt injection turning Antigravity search into RCE →

Antigravity prompt injection and sandbox escape: are controls enough?

Explore further

View Full Forum →  |  NHI Foundation Course →