Last week Google released an IDE called Antigravity. It’s basically the outcome of the Windsurf licensing deal from a few months ago, where Google paid some $2.4 billion for a non-exclusive license to the code.

Because it’s based on Windsurf, I was curious if vulnerabilities that I reported to Windsurf back in May 2025, long before the deal, would have been addressed in the Antigravity IDE. See Month of AI Bugs for some detailed write-ups.

The short answer is no.

In this post we will walk through five security vulnerabilities that I reported to Google last week, including data exfiltration vulnerabilities, and even remote code execution via indirect prompt injection. As an outsider, it’s unclear why these known vulnerabilities are in the product, but after researchers started reporting issues last Tuesday, Google started documenting them publicly here also. My personal guess is that the Google security team was caught a bit off guard by Antigravity shipping…

Although these vulnerabilities are straightforward to exploit, I will not include the exploit payloads verbatim at this point. The main goal is to raise awareness, and provide a practical mitigations steps as well.

Overview

As this is a bit of a lengthy post, I’m including a quick index table.

• Antigravity System Prompt
• Issue #1: Remote Command Execution via Indirect Prompt Injection (Auto-Execute Bypasses)
• Issue #2: Antigravity Follows Hidden Instructions
• Issue #3: Lack of Human in the Loop for MCP Tool Invocations
• Issue #4: Data Exfiltration via read_url_content tool
• Issue #5: Data Exfiltration via image rendering
• Recommendations and Mitigations

For all reports I created fresh, reliable exploit payloads and demo videos.

If you prefer to watch a video with details and demos:

There are also five additional issues, which I have not previously discussed. I’ll share details on those as fixes arrive, issues are won’t fixed, or as responsible disclosure deadlines pass.

Let’s take a look.

...read more at embracethered.com