Vuln in Google’s Antigravity AI Agent Manager Could Escape Sandbox, Give Attackers Remote Code Execution

The Antigravity vulnerability illustrates a new attack surface emerging from AI‑driven developer assistants. By embedding malicious instructions within files or web content, threat actors can manipulate the agent’s prompt parser, causing it to execute system commands directly. The native "find_by_name" utility, classified as a system tool, sidestepped Google’s Secure Mode, which normally isolates commands in a sandbox, throttles network traffic, and restricts file writes. This loophole allowed attackers to achieve full remote code execution without elevated privileges, highlighting a fundamental flaw in the trust model of autonomous agents.

Security experts warn that the issue is not isolated to Google’s product. Similar prompt‑injection pathways have been identified in other coding AI platforms such as Cursor, suggesting a systemic problem where unvalidated input becomes a vector for code execution. Traditional defenses that rely on input sanitization or human oversight are insufficient when agents autonomously interpret and act on external data. Organizations must adopt rigorous auditing of every native tool invocation and enforce strict validation of all inputs that could be interpreted as prompts, effectively treating each shell parameter as a potential exploit point.

Google’s rapid response—patching the bug within two months and issuing a bounty—demonstrates the growing importance of coordinated vulnerability disclosure in the AI ecosystem. However, the episode serves as a cautionary tale for enterprises eager to integrate agentic AI into their workflows. Companies should prioritize security‑by‑design principles, incorporate continuous monitoring of AI agent behavior, and invest in specialized AI security tooling. As AI agents become more autonomous, the industry must evolve beyond sanitization‑only strategies to safeguard critical infrastructure and maintain trust in emerging technologies.