Google’s sandbox never got a chance
Antigravity’s Secure Mode, which is designed to restrict network access, prevent out-of-workspace writes, and ensure all command operations run strictly under a sandbox context, could not flag or quarantine this technique. This is because the find_my_name tool is called much before Secure Mode restrictions are evaluated.
“The agent treats it as a native tool invocation, not a shell command, so it never reaches the security boundary that Secure Mode enforces,“ the researchers noted.
The issue was trimmed down to a twofold root cause. A “No input validation” at the Pattern parameter, which accepts arbitrary strings without checking for legitimate search pattern characters. The second was “no argument termination,” which refers to fd’s inability to distinguish between flags and search terms. Google has already fixed the flaw internally, and Antigravity users need not do anything else to remain protected. However, the flaw’s ability to bypass Secure Mode, Pillar researchers point out, underlines that security controls focused on shell commands are insufficient. “The industry must move beyond sanitization-based controls toward execution isolation,” they said. “Every native tool parameter that reaches a shell command is a potential injection point.”
