Cybersecurity researchers have identified and Google has patched a vulnerability in its agentic integrated development environment Antigravity that could allow prompt injection leading to code execution. The flaw was discovered in Antigravity’s file creation capabilities combined with insufficient input validation in its file search tool known as find_by_name. The issue affected the system’s Strict Mode, a security configuration designed to limit network access, restrict out of workspace writes, and enforce sandboxed command execution, yet the vulnerability allowed attackers to bypass these controls under certain conditions.
The exploit technique relied on manipulating the Pattern parameter in the find_by_name tool. According to researchers, injecting specific command flags such as -X exec-batch into this parameter could force the underlying file discovery utility fd to execute arbitrary binaries against workspace files. Since Antigravity permits file creation as part of its normal operation, an attacker could stage a malicious script and trigger execution through what appears to be a legitimate file search request. This process bypassed user interaction once the prompt injection was successfully introduced, effectively turning a constrained tool into an execution vector.
The root cause of the issue was identified as a lack of strict input sanitization, where the Pattern parameter was passed directly to the underlying system command without sufficient validation. In practical terms, this allowed crafted inputs such as -Xsh to instruct fd to execute shell commands on matched files. Researchers also highlighted that indirect prompt injection could achieve the same outcome without direct system compromise. In such scenarios, an unsuspecting user might load a seemingly harmless file from an untrusted source, only for hidden instructions embedded within comments to trigger the staged attack automatically through the AI agent.
Following responsible disclosure in January 2026, Google addressed the vulnerability by late February. Security researchers noted that this case reflects a broader systemic issue in agentic AI systems where tools designed for constrained operations can become attack vectors if their inputs are not rigorously validated. The underlying concern is that traditional trust models assume human oversight will identify malicious behavior, yet autonomous AI agents can execute instructions from external content without the same level of scrutiny.
Alongside the Antigravity findings, multiple other vulnerabilities have been identified across AI powered development tools and agents. Research has shown that systems such as Anthropic Claude Code, Google Gemini CLI Action, and GitHub Copilot Agent can be exposed to prompt injection through GitHub comments, where issue descriptions, pull request titles, and comments can be weaponized to extract API keys and tokens. This attack pattern, referred to as Comment and Control, leverages the elevated permissions of AI agents processing untrusted inputs within development environments.
Additional research has highlighted memory poisoning vulnerabilities in Claude Code that allow persistent manipulation across sessions, as well as living off the land attack chains in AI code editors such as Cursor. In these cases, malicious repositories can hijack developer machines through indirect prompt injection and sandbox escape techniques, enabling persistent system access without repeated exploitation. Other documented threats include ToolJack, which manipulates AI perception by altering tool communication layers, and indirect prompt injection vulnerabilities in platforms such as Microsoft Copilot Studio and Salesforce Agentforce, where external inputs are treated as trusted instructions.
Recent findings also include multi stage attacks against Claude workflows and GitHub Actions pipelines where identity spoofing and configuration manipulation can lead to unauthorized code merging and data exfiltration. Researchers emphasize that these vulnerabilities demonstrate a recurring pattern where AI agents operating with tool access and insufficient input separation can be manipulated into executing unintended actions, exposing both development systems and production environments to evolving security risks.
Follow the SPIN IDG WhatsApp Channel for updates across the Smart Pakistan Insights Network covering all of Pakistan’s technology ecosystem.
