GOOGLE has patched a flaw in its Antigravity AI-powered IDE that could enable prompt-injection based code execution by abusing the tool’s file-creation permissions and a weak input sanitisation in the find_by_name native file-search feature.
The vulnerability allowed an attacker to pass the -X (exec-batch) flag through the Pattern parameter to the fd command, forcing execution of arbitrary binaries against workspace files and undermining Antigravity’s Strict Mode, which is meant to restrict network access and sandbox execution.
According to Pillar Security researcher Dan Lisichkin, the attack chain could stage a malicious script and trigger it via a legitimate-sounding search without further user interaction once the prompt injection lands, with the -X flag enabling shell execution when combined with a crafted Pattern like -Xsh. Google addressed the shortcoming after responsible disclosure on 7 January 2026, with patches in place by 28 February 2026.
The report also notes related prompt-injection vulnerabilities across other AI tools and services, including Anthropic Claude Code Security Review, Google Gemini CLI Action, and GitHub Copilot Agent, among others, illustrating a broader pattern of untrusted input being abused to access secrets or execute commands.