Capability Overview
Google has shipped Gemini Spark for macOS, folding its agentic assistant into the existing Gemini desktop application. The release extends Spark’s reach to local file system operations — reading, sorting, and transforming files on the user’s Mac — and introduces integrations with Google Tasks, Google Keep, Dropbox, Canva, Instacart, OpenTable, and Zillow Rentals. Critically, Google is also rolling out support for custom Model Context Protocol (MCP), enabling users to connect arbitrary third-party tools directly into the agent. A forthcoming feature will allow mobile-to-desktop task delegation, letting a phone-based prompt trigger file retrieval and processing on a remote Mac. For defenders, this release marks a meaningful shift: Gemini Spark is no longer a cloud-sandboxed chatbot but a locally-rooted agent with persistent connections to file systems, cloud services, and an extensible tool ecosystem.
Attack Surface Analysis
Local file system as a prompt injection surface. Spark can now ingest files from the Mac to produce Workspace documents. An attacker who places a maliciously crafted file — a weaponised invoice, a PDF with embedded instructions, or a poisoned note synced from a compromised cloud — can inject instructions that redirect Spark’s actions. The agent has no reliable way to distinguish authoritative user intent from attacker-controlled file content.
MCP as an unvetted plugin layer. Custom MCP support is the highest-risk addition in this release. Users can connect arbitrary applications into Spark with what appears to be minimal centralised vetting. This mirrors the early BYOP (bring-your-own-plugin) risks seen in ChatGPT’s plugin ecosystem: a malicious or poorly-secured MCP server can exfiltrate data, execute unauthorised actions, or serve as a pivot point into the broader Google account.
Cross-platform lateral movement. Spark’s simultaneous access to Google Workspace, Dropbox, Keep, and external booking/commerce platforms means a single compromised agent session has blast radius across multiple services. An attacker manipulating Spark could silently exfiltrate Dropbox files into a Workspace document, forward sensitive data via a third-party integration, or corrupt shared content.
Real-time monitoring as a persistent inbound channel. The topic-tracking feature ingests social media, blogs, news, and online shopping signals continuously. This represents a persistent, low-friction vector for delivering prompt injection payloads via attacker-controlled web content that Spark monitors autonomously.
Forthcoming mobile-to-desktop bridge. The announced phone-initiated desktop task feature, while not yet live, will create a cross-device trust boundary that deserves early scrutiny — compromising the mobile device or intercepting the task delegation channel could trigger file access or exfiltration on the desktop.
Framework Mapping
- AML.T0051 (LLM Prompt Injection): File-based and web-sourced content ingestion provides direct injection pathways into agent task execution.
- AML.T0010 (ML Supply Chain Compromise): Custom MCP integrations introduce unvetted third-party components into the agent’s tool chain.
- AML.T0057 (LLM Data Leakage): Agent-mediated file-to-Workspace transfers and third-party app actions risk unintended sensitive data exposure.
- LLM08 (Excessive Agency): Spark can take real-world actions (booking tables, ordering groceries, managing files) with limited human confirmation steps described in the announcement.
- LLM07 (Insecure Plugin Design): MCP integrations lack described permission scoping or sandboxing, consistent with historical plugin security gaps.
Threat Scenarios
Weaponised invoice attack: An attacker emails a target a PDF invoice. The user saves it to their Mac. Spark, asked to convert invoices to a budget spreadsheet, processes the file and its embedded prompt injection — silently forwarding the spreadsheet (and other file contents) to an attacker-controlled email via a connected Workspace action.
Malicious MCP server: A developer publishes a popular-looking MCP integration for a productivity tool. The server logs all queries Spark sends through it, harvesting file names, content summaries, and user intent signals over time.
Real-time monitoring poisoning: An attacker publishes SEO-optimised blog content containing hidden prompt instructions. Spark, monitoring that topic for a target user, ingests the content and executes embedded commands — such as sharing a sensitive file to an external address.
Defender Checklist
- Restrict file system access: Configure macOS permissions to limit Spark’s accessible directories to the minimum necessary; avoid granting access to sensitive directories (SSH keys, credential stores, source code).
- Treat MCP integrations as third-party code: Apply the same vetting process as browser extensions or SaaS app approvals before any custom MCP connection is authorised.
- Audit connected app permissions: Review OAuth scopes granted to Spark across Google Workspace, Dropbox, and any third-party integrations; revoke excessive permissions.
- Establish data-handling policies: Define which data categories Spark is permitted to include in auto-generated Workspace documents or share externally.
- Monitor agent-initiated outbound actions: Log and alert on Spark-triggered file transfers, document creations, and third-party API calls as you would any privileged service account activity.
- Prepare for mobile-desktop bridge: Before the forthcoming phone-to-Mac feature ships, define acceptable use policies and authentication requirements for remote task delegation.