Skills
Pillar Security: Google Antigravity Agent Sandbox Escape via Prompt Injection — Native Tool Bypasses Secure Mode Entirely
Pillar Security disclosed a vulnerability in Google's Antigravity AI developer tool where the find_by_name native file-search tool executes before Secure Mode protections evaluate commands. By injecting the -X (exec-batch) flag through the Pattern parameter, attackers convert a file search into arbitrary code execution. Combined with Antigravity's permitted file-creation capability, this enables a full attack chain: stage a malicious script, then trigger it through a seemingly legitimate search. Google patched after disclosure and awarded a bug bounty. The flaw highlights a systemic pattern: native/trusted tools bypass the very security boundaries they're supposed to operate within.
↳ Follow the thread