Google Antigravity Enables Sandbox Escape and Remote Code Execution
Researchers at Pillar Security discovered and reported a prompt-injection vulnerability in Google's Antigravity agent manager that allowed attackers to escape the agent sandbox and achieve remote code execution. The exploit abused a native file-search tool, find_by_name, which executes before Antigravity's Secure Mode protections can evaluate commands, permitting file creation and eventual execution outside the intended working directory. Attack vectors include compromised identity connectors and malicious files or web content the agent ingests. Google patched the flaw after disclosure. For practitioners, the incident underscores that sandboxing and network throttling are insufficient without strict controls on native tools, strict input provenance, least-privilege execution, and detailed telemetry to detect anomalous file activity.
What happened
Google fixed a vulnerability in Antigravity, its agentic developer tool, after researchers at Pillar Security showed a prompt-injection chain could bypass the agent sandbox and obtain remote code execution. The exploit leverages a native utility so the call runs before the agent's highest security setting, Secure Mode, can enforce its restrictions. "The security boundary that Secure Mode enforces simply never sees this call," wrote Dan Lisichkin of Pillar Security.
Technical details
At the center of the issue is the native file-search helper find_by_name. Because find_by_name is classified as a native system tool, Antigravity invokes it directly, and the call escapes the normal command-evaluation path that Secure Mode guards. The attack sequence observed by researchers combines three elements: prompt injection delivered via ingested content or compromised connectors, the agent using find_by_name to create or locate files, and subsequent execution that results in full code execution on the host. The vulnerability bypasses network throttling and directory-write restrictions by exploiting the ordering and trust model inside the agent.
Mitigations and practical takeaways Immediate vendor patching removed the specific vector, but the broader mitigation set practitioners should apply includes:
- •enforce least-privilege execution and run agents in constrained OS-level sandboxes or dedicated VMs
- •remove or strictly gate native tools like find_by_name from agent runtimes
- •treat ingested text, files, and open-source content as untrusted, apply input sanitization and provenance checks
- •apply strong authentication for connector accounts and monitor for unusual file creation or execution telemetry
Context and significance
This is not an isolated engineering bug; it highlights a systemic class of risks in agentic AI. Agent frameworks often conflate data-for-context with executable instructions, and native helpers that run outside the normal evaluation pipeline become attractive escalation points. Similar prompt-injection chains have been demonstrated across commercial and open systems, so expect increased scrutiny by security teams integrating agentic tools into CI, devops, and production automation.
What to watch
Track vendor updates that harden native-tool policies, improved threat-model guidance for agent deployments, and detection rules for file-creation and cross-boundary execution patterns that indicate exploitation.
Scoring Rationale
A sandbox escape enabling remote code execution in a major vendor's agent framework is a high-impact security event for practitioners deploying agentic AI. The flaw was patched, reducing immediate risk, but it exposes a class of trust-model failures that affect many agent deployments.
Practice interview problems based on real data
1,500+ SQL & Python problems across 15 industry datasets — the exact type of data you work with.
Try 250 free problemsStep-by-step roadmaps from zero to job-ready — curated courses, salary data, and the exact learning order that gets you hired.
