By ByteBot
Google’s Antigravity IDE, the company’s agentic development platform launched in November 2025, suffers from two critical vulnerabilities enabling remote code execution and persistent backdoors. Security researchers discovered flaws within 24 hours of launch and through responsible disclosure in January 2026. Google patched the prompt injection vulnerability on February 28, but the disclosure reveals a fundamental design problem: mandatory workspace trust creates a single point of failure. As 83% of organizations plan to deploy agentic AI but only 29% feel ready to secure it, Antigravity’s vulnerabilities mark the first major security reckoning in this category.
Two Attack Vectors, One Flawed Trust Model
Mindgard security researcher Aaron Portnoy discovered the first vulnerability on November 19, 2025—just 24 hours after Antigravity launched. Attackers exploit Antigravity’s instruction hierarchy by placing malicious Markdown files in a project’s .agent directory. The system prompt instructs the AI: “The following are user-defined rules that you MUST ALWAYS FOLLOW WITHOUT ANY EXCEPTION.” When a user opens the compromised workspace, the agent automatically copies a malicious mcp_config.json file from the project directory to the global configuration folder. This persistence survives complete uninstallation and executes arbitrary code with user privileges on every launch.
Google initially closed Portnoy’s report as “Won’t Fix (Intended Behavior)” on November 21. The company only reopened and escalated the issue after Mindgard published their findings four days later. That response encapsulates the problem: vendors shipping AI products without modernized security perspectives treat critical vulnerabilities as features.
The second vulnerability, discovered by Pillar Security’s Dan Lisichkin and disclosed January 7, combines file-creation capabilities with insufficient input sanitization. Antigravity’s find_by_name tool lacks validation on the Pattern parameter. By injecting the -X (exec-batch) flag, attackers force the underlying fd command to execute arbitrary binaries against workspace files, bypassing Strict Mode entirely. A Pattern value of -Xsh passes matched files to the shell for execution. Google patched this flaw on February 28—52 days after disclosure.
Mandatory Trust Is the Root Problem
Both vulnerabilities exploit the same architectural flaw: Antigravity requires workspace trust to function. Unlike Visual Studio Code, which allows untrusted projects to run in restricted mode, Antigravity renders itself completely non-functional for untrusted workspaces. Users face an all-or-nothing choice: trust the workspace and accept the risk, or don’t use Antigravity at all.
This design turns “trusted workspace” into a single point of failure. VS Code demonstrates the alternative—flexible trust boundaries let developers safely examine potentially malicious code in restricted mode before deciding to grant elevated permissions. Antigravity offers no such option. The mandatory trust model doesn’t just enable these specific attacks; it creates structural vulnerability that patches can’t fully address.
Attack Surface Explosion
Antigravity isn’t an isolated case. The attack surface of an AI agent equals the union of everything its tools can do. An agent with email capabilities creates email send vulnerabilities. An agent with code execution access creates remote code execution vulnerabilities. Agentic IDEs like Antigravity, which autonomously navigate editors, run terminal commands, and execute code, present attack surfaces orders of magnitude larger than traditional autocomplete tools.
The industry isn’t ready. Cisco’s State of AI Security 2026 report found 83% of organizations plan agentic AI deployments while only 29% feel prepared to secure them. A Dark Reading poll identified agentic AI as the top attack vector for 2026, ahead of deepfakes and supply chain compromises. Security professionals see what’s coming. Engineering teams are deploying anyway.
Every injection surface—web pages agents browse, emails they process, APIs they call, documents they analyze—becomes a potential attack vector. Traditional IDE security assumed human operators made execution decisions. Agentic systems make those decisions autonomously, often processing untrusted external data without human review. That’s not a bug to patch; it’s a paradigm shift requiring entirely new security models.
What Developers Should Do
If you’re using Antigravity, apply Google’s February 28 patch immediately. Verify workspace sources before trusting them. Monitor for unexpected file operations. For sensitive projects, consider air-gapped development environments where agentic tools can’t exfiltrate code or credentials.
More broadly, ask hard questions before adopting any agentic IDE. Does the tool offer granular, session-based permissions, or all-or-nothing trust? Can it operate safely on untrusted code? What’s the vendor’s security disclosure track record? How quickly do they patch critical vulnerabilities? Google’s initial “Won’t Fix” response should inform your vendor evaluation criteria.
The productivity gains agentic IDEs promise are real. Antigravity’s asynchronous multi-agent workflows genuinely enable single developers to manage parallel workstreams. But productivity tools that introduce persistent backdoors and RCE vulnerabilities aren’t productivity tools—they’re liabilities. The race to ship AI features has outpaced the race to secure them. These vulnerabilities prove it.
Key Takeaways
- Google Antigravity suffers from two vulnerabilities: persistent backdoor via trusted workspace exploit and prompt injection RCE through
find_by_nametool - Mandatory workspace trust model creates single point of failure that patches can’t fully address—architectural flaw, not just bugs
- First vulnerability discovered within 24 hours of launch; Google initially dismissed as “Won’t Fix (Intended Behavior)”
- Attack surface of agentic AI equals union of all tool capabilities—orders of magnitude larger than traditional IDEs
- Industry gap: 83% plan agentic AI deployments but only 29% feel ready to secure them
- Developers should patch immediately, verify workspace sources, and demand granular permissions from vendors before adoption
