Antigravity find_by_name: when a native tool call jumps over Secure Mode
On April 20, 2026, Pillar Security disclosed that a single unsanitised parameter in Google Antigravity's find_by_name tool turned file search into arbitrary code execution — and bypassed the IDE's strictest sandbox.
What is this?
On April 20, 2026, Pillar Security researcher Dan Lisichkin published Prompt Injection leads to RCE and Sandbox Escape in Antigravity, the public write-up of a vulnerability in Google Antigravity — Google’s agentic IDE, in which Gemini-driven agents drive a code editor and a shell on the developer’s machine. The Hacker News and CSO Online picked up the disclosure on April 21, 2026, with follow-on coverage by Dark Reading and CyberScoop, and a research note from the Cloud Security Alliance Labs.
The flaw is small and exact: the Pattern parameter of Antigravity’s find_by_name tool was passed unsanitised to the underlying fd binary. A Pattern value starting with - is interpreted by fd as a flag rather than a search term, and the -X (exec-batch) flag turns file search into arbitrary command execution. Combined with the agent’s normal ability to create files in the workspace, that primitive yields remote code execution under Antigravity’s own Secure Mode, the IDE’s strictest sandbox.
Pillar reported the bug to Google on January 7, 2026. Google accepted it on January 24, 2026, marked it fixed on February 28, 2026, and paid a VRP bounty on March 26, 2026 before public disclosure on April 20, 2026. The 90-day responsible-disclosure clock has long elapsed; the vulnerability is patched.
How it works
find_by_name is documented as a thin convenience wrapper around fd, the fast find alternative. It accepts a JSON object with fields like Pattern, Extensions, SearchDirectory, MaxDepth. Inside the tool, Pattern is interpolated into the fd command line without an argument terminator (--) and without filtering for shell-style leading dashes. Two ingredients of the attack chain are now visible:
fdtreatsPatternas a flag whenever it starts with-.fd -X <bin>executes<bin>for each matched file, passing matched filenames as arguments.
# Conceptual structure — illustrative only, drawn from the Pillar advisory.
# This is the published, patched class of bug; nothing here is novel.
# 1) Indirect prompt injection drops into Antigravity through an
# untrusted file (a README in a pulled repo, a comment in source).
# The injected text asks the agent to:
#
# - create a workspace file (allowed action)
# - then call find_by_name with Pattern starting with "-Xsh"
#
# 2) The native tool call fires BEFORE Secure Mode evaluates anything,
# because the agent classifies find_by_name as a native tool,
# not a shell command.
#
# 3) fd receives a "flag" instead of a pattern, switches into
# exec-batch mode, and executes the staged file via sh.
#
# Concrete payload structure from the advisory:
# Pattern: "-Xsh"
# Extensions: ["orange"] # matches the staged file
# SearchDirectory: <workspace>
#
# Result: every staged a.orange file is handed to sh, executing
# whatever the agent was told to write earlier in the workspace.The detail that makes this more than a generic argument-injection bug is the bypass of Secure Mode. Secure Mode in Antigravity is documented as blocking out-of-workspace writes, restricting network egress, and forcing shell commands to run sandboxed. None of those controls fire here, because find_by_name is dispatched as a native tool, not a shell command. The security boundary that Secure Mode enforces sits behind a check the agent never reaches in this code path. The advisory confirms the exploit succeeded with Secure Mode on and Auto Execution off — the most restrictive published configuration of the IDE.
The space character is escaped on the Pattern path, so the injected flag can’t be followed by inline arguments. Pillar bypasses that by staging the payload as a separate file first — a permitted action — and then calling find_by_name whose match passes that file to sh. Two ordinary operations chained through one ordinary tool produce RCE.
Why it matters
The Antigravity finding is the canonical 2026 example of tool-parameter injection in agentic IDEs. Three observations make it worth understanding even if you do not use Antigravity.
First, prompt injection is no longer the interesting part of the chain. The injected text is a single line. The work is being done by the tool design: a parameter that crosses the boundary from “data the LLM controls” to “argv to a shell utility” without an argument terminator. Cursor’s CVE-2026-22708, also documented by Pillar, follows the same shape. So does the Anthropic MCP STDIO transport class of CVEs documented in April. The attack surface in 2026 is the gap between “the LLM passes data to a tool” and “the tool interprets that data as a command structure”.
Second, the “native tool” classification is a load-bearing concept that few users understand. Antigravity’s threat model assumed that gating shell commands behind Secure Mode would cover dangerous operations. In practice, a tool that wraps fd does the same things sh would do, just through a different code path. The shell-vs-native distinction is meaningful inside the agent, invisible to the operating system, and unhelpful as a security boundary.
Third, the indirect-injection path means the user does not need to be tricked into anything elaborate. Cloning a repository, opening a file, asking the agent to summarise it — any of those is enough for the embedded instructions to land in the agent’s context. The published exploit needs no authentication, no compromised account, no malicious extension.
Defenses
The bug itself is patched in Antigravity. The class is not.
The first defense, both at the IDE vendor layer and inside any in-house agent stack, is to terminate arguments at the tool boundary. Whenever an LLM-supplied string is interpolated into a command line, prepend --, validate against an allowlist of characters appropriate to the parameter (file-name patterns do not start with -), and reject input that contains shell-style flags or path traversal. The fix here is one line of input validation. The bug exists because that line was missing.
The second defense is to classify tool calls by their effect, not by their wrapper. If a tool can ultimately execute a binary, run a script, or write outside the workspace, it belongs behind the same sandbox boundary as a raw shell command, regardless of whether the agent code labels it “native”. Secure Mode in Antigravity should — and will, after the patch — evaluate find_by_name the same way it evaluates run_in_terminal. Application teams running their own agents should audit every tool for the same property.
The third defense is process isolation at the agent runtime. Run the agent in a container or VM with no host filesystem mount beyond the working repository, no outbound network unless explicitly required for a single task, and a separate identity from the developer account. The Antigravity exploit’s escape path included writing to ~/.zshrc and launching native applications; an isolated runtime collapses that blast radius to a disposable sandbox.
The fourth defense is treat untrusted repositories as untrusted code, not as data. Pulling a public repo into an agentic IDE is the 2026 equivalent of opening an attachment from an unknown sender. Open it cold first if you must, with the agent disabled or read-only, and run security review tools across the file tree before any agentic feature touches it.
A separate hardening step: subscribe to the cascade. The Antigravity advisory cross-references Cursor’s CVE-2026-22708, the Anthropic MCP STDIO class, and the Microsoft Semantic Kernel RCE chain (CVE-2026-25592, CVE-2026-26030). Every framework that lets a model call a tool with under-validated arguments is a candidate for the next entry. Tracking the OX Security, Pillar and CSA disclosure feeds is cheaper than waiting for your own incident.
Status
| Item | Reference | Date | Notes |
|---|---|---|---|
| Pillar Security advisory | ”Prompt Injection leads to RCE and Sandbox Escape in Antigravity” | 2026-04-20 | Primary disclosure; full PoC with Secure Mode on |
| Press coverage | The Hacker News, CSO Online, Dark Reading, CyberScoop | 2026-04-21 | Independent corroboration |
| CSA Labs research note | Agentic IDE prompt injection sandbox escape | 2026-04 | Frames as systemic agentic-IDE class |
| Initial report to Google | Pillar → Google AI VRP | 2026-01-07 | Acknowledged same day |
| Fix shipped | Google Antigravity | 2026-02-28 | 52 days after report |
| VRP bounty | 2026-03-26 | AI-specific category | |
| Related advisories | Cursor CVE-2026-22708, Anthropic MCP STDIO, Semantic Kernel CVE-2026-25592 / CVE-2026-26030 | 2026-02 to 2026-04 | Same root pattern: under-validated tool parameters reach a shell |
The Antigravity story is short and worth keeping. A single missing -- was the difference between a file search and a remote code execution. Every agentic IDE on the market today has dozens of find_by_name-class tools, and most of them were designed before “tool parameter injection” was a phrase anyone used. Audit accordingly.
Sources
- → https://www.pillar.security/blog/prompt-injection-leads-to-rce-and-sandbox-escape-in-antigravity
- → https://thehackernews.com/2026/04/google-patches-antigravity-ide-flaw.html
- → https://www.csoonline.com/article/4161382/prompt-injection-turned-googles-antigravity-file-search-into-rce.html
- → https://cyberscoop.com/google-antigravity-pillar-security-agent-sandbox-escape-remote-code-execution/
- → https://www.darkreading.com/vulnerabilities-threats/google-fixes-critical-rce-flaw-ai-based-antigravity-tool
- → https://labs.cloudsecurityalliance.org/research/csa-research-note-agentic-ide-prompt-injection-sandbox-escap/