A Crafted Search Pattern Unlocked RCE Inside Google’s Antigravity IDE

Key Takeaways

• Pillar Security disclosed on April 21, 2026 a prompt-injection-to-RCE chain in Google’s Antigravity AI agent IDE that bypassed Secure Mode.
• The exploit abused insufficient sanitization on the Pattern parameter of find_by_name, a native file search tool invoked before sandbox controls evaluated command-level operations.
• By injecting command-line flags through the Pattern parameter, attackers steered the underlying fd utility into arbitrary code execution.
• Pillar reported the flaw on January 6, 2026; Google patched it on February 28, 2026 and awarded a bug bounty.
• Press coverage across The Hacker News, Dark Reading, and CyberScoop has made this a reference case for native-tool trust boundaries in AI agent IDEs.

Summary

Pillar Security disclosed on April 21, 2026 that Google’s Antigravity AI agent IDE contained a prompt-injection flaw enabling sandbox escape and remote code execution. The attack abused insufficient sanitization of find_by_name’s Pattern parameter to inject command-line flags into the underlying fd utility, bypassing Antigravity’s Secure Mode. The flaw was reported in January and patched in February, with public disclosure in April.

What We Know

Google Antigravity is an AI-powered developer tool that combines an IDE surface with agent-driven filesystem operations. On April 21, 2026, Pillar Security publicly disclosed a flaw in Antigravity’s find_by_name tool enabling prompt-injection-driven sandbox escape and RCE. Coverage appeared simultaneously across The Hacker News and CyberScoop.

Find_by_name is classified as a native system tool, so the agent can execute it directly before protections like Secure Mode evaluate command-level operations. The flaw lived in insufficient input sanitization of the Pattern parameter. By injecting command-line flags through it, attackers steered the underlying fd utility into unintended execution paths, converting a file search into arbitrary code execution. The exploit therefore circumvented Antigravity’s Secure Mode, the configuration Google advertises as routing command operations through a virtual sandbox. Pillar reported on January 6, 2026; Google patched on February 28, 2026 and awarded a bug bounty.

What Happened

The failure sits in the trust boundary that AI agents draw around native tools. Antigravity classified find_by_name as a native operation so the agent could invoke it with minimum overhead, on the assumption that the tool’s inputs were safe by construction. In practice, its Pattern parameter fed command-line flags into the underlying fd utility with insufficient sanitization.

A carefully constructed Pattern value, delivered via prompt injection from adversarial content the agent consumed, let attackers add fd flags that changed execution semantics and achieved arbitrary code execution, as Dark Reading described. Because the Pattern parameter was processed inside the native tool before Secure Mode’s guardrails ran, the sandbox never saw the operation coming. Native designations are a trust delegation that must be audited, because they shortcut the protection stack. Google’s patch reimposed sanitization on the Pattern parameter, but the pattern of native-tool over-trust is broader than find_by_name alone.

Why It Matters

Antigravity’s find_by_name disclosure is the highest-profile demonstration to date that a carefully marketed sandbox mode is only as strong as the parsing code inside the tools it is meant to contain. For enterprises evaluating AI agent IDEs, the lesson is specific: trust levels inside the agent matter more than trust levels at the perimeter. A native tool designation is a latent bypass of the perimeter unless the tool’s inputs are hardened.

A related AI supply-chain incident on the PointGuard site shows how quickly platform-level trust assumptions become an active attack surface. The incident should accelerate industry norms around publishing trust-boundary documentation for each shipped tool and fuzz-test coverage of every parameter that flows into a system binary. Regulators working on the EU AI Act and NIST AI RMF will likely cite this case when defining expectations for agent-tooling transparency.

PointGuard AI Perspective

The Antigravity disclosure makes a PointGuard AI core thesis visible: the agent tool boundary is where AI security is won or lost. PointGuard AI’s AI security posture management capability maps every AI agent platform in use, the tools each agent can invoke, the trust level assigned to each tool, and the sandbox controls those tools nominally sit behind.

When a vendor ships a tool marked native or similarly privileged, PointGuard captures that designation and surfaces it alongside the threat-model implications, so security teams see the trust delegation rather than inheriting it silently. PointGuard’s AI governance layer lets organizations set policy for how native tools may be used, what auditing accompanies them, and what compensating controls are required when a vendor discloses a trust-boundary flaw. Trustworthy AI adoption in developer platforms requires continuous posture, continuous scoring, and explicit governance across every native tool an agent can reach.

Incident Scorecard Details

Total AISSI Score: 5.8/10

Criticality = 7, Remote code execution in an agent orchestration plane with access to developer machines, AISSI weighting: 25%

Propagation = 6, Antigravity adoption is growing but not at AgentCore or Vertex scale, AISSI weighting: 20%

Exploitability = 5, Research proof of concept; patched before widespread abuse, AISSI weighting: 15%

Supply Chain = 7, Google-hosted agent platform, AISSI weighting: 15%

Business Impact = 4, Fix coordinated; no confirmed customer impact, AISSI weighting: 25%

Sources

• Google Patches Antigravity IDE Flaw Enabling Prompt Injection Code Execution - The Hacker News
• Vuln in Google’s Antigravity AI agent manager could escape sandbox - CyberScoop
• Google Fixes Critical RCE Flaw in AI-Based Antigravity Tool - Dark Reading