Overview
Google has issued a patch for a critical remote code execution (RCE) vulnerability in an AI-based agentic product used for filesystem operations, branded internally as an ‘Antigravity’ tool. The flaw, rooted in a prompt injection weakness, allowed attackers to bypass sandbox protections and execute arbitrary code on the underlying host system. The vulnerability underscores a growing and under-appreciated risk: as AI agents are granted real-world capabilities — including direct filesystem access — the consequences of prompt injection escalate from data leakage to full system compromise.
Technical Analysis
The vulnerability was classified as a sanitisation failure within the agentic AI pipeline. Specifically, user-controlled input passed to the AI agent was not adequately stripped or escaped before being interpreted as system-level instructions. This allowed a crafted prompt to escape the intended execution sandbox and invoke arbitrary commands on the host operating system.
This attack pattern follows a well-understood but increasingly dangerous archetype in agentic AI design:
- Malicious input is submitted to the AI agent (directly or via an upstream data source).
- The agent, lacking robust input validation, interprets injected content as legitimate instructions.
- The agent’s privileged access to the filesystem or shell is abused to execute attacker-controlled commands.
- Sandbox escape is achieved due to insufficient process isolation between the AI agent runtime and the host environment.
The critical severity is driven by the agent’s elevated privileges. Unlike a standard LLM chatbot, filesystem-capable agents operate with tool-use permissions that can directly modify, exfiltrate, or destroy data — and in this case, execute arbitrary code.
Framework Mapping
| Framework | ID | Rationale |
|---|---|---|
| MITRE ATLAS | AML.T0051 | Core mechanism is LLM prompt injection |
| MITRE ATLAS | AML.T0047 | Exploited via an ML-enabled product with real-world integrations |
| OWASP LLM | LLM01 | Prompt injection is the root cause |
| OWASP LLM | LLM02 | Unsanitised output from the model was passed to system calls |
| OWASP LLM | LLM07 | The filesystem plugin lacked secure design controls |
| OWASP LLM | LLM08 | The agent possessed excessive agency with insufficient guardrails |
Impact Assessment
Any user or enterprise deploying the unpatched version of Google’s agentic filesystem AI tool is potentially exposed to full host compromise. The RCE primitive gives attackers the ability to install malware, exfiltrate sensitive files, pivot laterally within a network, or destroy data. Given that agentic AI tools are frequently deployed in developer environments or CI/CD pipelines with broad filesystem access, the blast radius is significant.
Mitigation & Recommendations
- Patch immediately: Apply the Google-issued fix to all instances of the affected tool without delay.
- Restrict agent permissions: Apply least-privilege principles — agents should only have access to the specific filesystem paths required for their function.
- Harden sandbox isolation: Ensure AI agent runtimes are isolated from the host OS via containerisation or virtualisation with strict syscall filtering (e.g., seccomp profiles).
- Validate and sanitise all agent inputs: Treat all data passed into agent pipelines — including retrieved content — as untrusted. Implement allowlist-based input validation.
- Monitor agent behaviour: Deploy runtime anomaly detection for unexpected filesystem operations or process spawning originating from AI agent processes.