Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

Antigravity prompt injection and sandbox escape: are controls enough?


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 9059
Topic starter  

TL;DR: A prompt injection in Google’s Antigravity agentic IDE can turn the find_by_name tool’s Pattern parameter into arbitrary code execution by injecting fd flags, bypassing Secure Mode because the call is treated as a native tool invocation, according to Pillar Security researchers. The deeper issue is that shell-facing parameters in agentic tools create execution paths that security boundaries may never see, so sanitisation alone is not enough.

NHIMG editorial — based on content published by Pillar Security: Prompt Injection leads to RCE and Sandbox Escape in Antigravity

Questions worth separating out

Q: What breaks when prompt injection reaches native tools in an agentic IDE?

A: The usual separation between search, preview, and execution breaks down.

Q: Why do sandbox controls fail against native tool abuse?

A: Sandboxing often protects shell commands after dispatch, but native tool calls may execute earlier in the agent’s flow.

Q: How should security teams reduce risk from agentic IDE tool chains?

A: They should review every tool that can touch files, invoke utilities, or change execution state as a single workflow.

Practitioner guidance

  • Map native tool paths to execution risk Inventory every agentic IDE tool that forwards parameters to shell-backed utilities, and mark those paths as privileged execution surfaces.
  • Block flag injection before command construction Reject tool parameters that begin with hyphens or contain shell-control syntax before any downstream binary sees them.
  • Separate workspace writes from execution-capable tools Treat file creation, file discovery, and execution-adjacent utilities as a combined abuse path.

What's in the full article

Pillar Security's full research covers the operational detail this post intentionally leaves for the source:

  • The exact proof-of-concept parameter values used to turn find_by_name into code execution
  • The disclosure timeline and product response details that show how the issue moved through triage and fix
  • The full discussion of indirect prompt injection through untrusted repository content
  • The side-by-side comparison with prior agentic IDE findings that illustrates the repeating pattern

👉 Read Pillar Security's analysis of prompt injection turning Antigravity search into RCE →

Antigravity prompt injection and sandbox escape: are controls enough?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 8498
 

Native tool parameters have become an execution boundary, not an input field. This finding shows that agentic IDEs can turn seemingly harmless search parameters into code execution paths when the parameter reaches a shell-backed utility unfiltered. The governance failure is not just missing sanitisation, but treating native tools as if they were outside the privilege model. Practitioners should classify every tool parameter that can reach a command interpreter as a high-risk control surface.

A few things that frame the scale:

  • Only 52% of companies can track and audit the data their AI agents access, leaving 48% with a complete blind spot for compliance and breach investigation, according to AI Agents: The New Attack Surface report.
  • 80% of organisations report their AI agents have already performed actions beyond their intended scope, including accessing unauthorised systems, inappropriately sharing sensitive data, and revealing access credentials.

A question worth separating out:

Q: Who is accountable when an agentic IDE turns search into execution?

A: Accountability sits with the product owner, platform security team, and the governing identity programme together. If the agent is allowed to operate under delegated user authority, then the surrounding controls must be designed for that authority, including parameter validation, sandbox scope, and approval boundaries.

👉 Read our full editorial: Prompt injection in Antigravity turns file search into RCE



   
ReplyQuote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 8498
 

Native tool parameters have become an execution boundary, not an input field. This finding shows that agentic IDEs can turn seemingly harmless search parameters into code execution paths when the parameter reaches a shell-backed utility unfiltered. The governance failure is not just missing sanitisation, but treating native tools as if they were outside the privilege model. Practitioners should classify every tool parameter that can reach a command interpreter as a high-risk control surface.

A few things that frame the scale:

  • Only 52% of companies can track and audit the data their AI agents access, leaving 48% with a complete blind spot for compliance and breach investigation, according to AI Agents: The New Attack Surface report.
  • 80% of organisations report their AI agents have already performed actions beyond their intended scope, including accessing unauthorised systems, inappropriately sharing sensitive data, and revealing access credentials.

A question worth separating out:

Q: Who is accountable when an agentic IDE turns search into execution?

A: Accountability sits with the product owner, platform security team, and the governing identity programme together. If the agent is allowed to operate under delegated user authority, then the surrounding controls must be designed for that authority, including parameter validation, sandbox scope, and approval boundaries.

👉 Read our full editorial: Prompt injection in Antigravity turns file search into RCE



   
ReplyQuote
Share: