Embrace the Red's resource offers insights, tutorials, and resources for developers and enthusiasts interested in game development and game design. Readers can learn about game design principles, storytelling techniques, and game development tools. With articles, tutorials, and game reviews, Embrace the Red provides  guidance and expertise for creating immersive and engaging gaming experiences.

Embrace The Red

Security researcher discovers five critical vulnerabilities in Google's new Antigravity IDE, including remote code execution via indirect prompt injection, data exfiltration through multiple vectors, and hidden instruction execution using invisible Unicode characters. These issues were previously reported in Windsurf (which Antigravity is based on) but remain unpatched. The vulnerabilities exploit the IDE's auto-execute features, lack of human-in-the-loop controls for MCP tool invocations, and over-reliance on LLM output for security decisions. Practical mitigations include disabling auto-execute, carefully managing MCP server permissions, and considering alternative IDEs until fixes are deployed.

Antigravity Grounded! Security Vulnerabilities in Google's Latest IDE · Embrace The Red

Issue #2: Antigravity Follows Hidden Instructions

Issue #3: Lack of Human in the Loop for MCP

Issue #4: Data Exfiltration via read_url_content

Issue #5: Data Exfiltration via Image Rendering

Came here thinking, the missing gravity is the culprit.

So on googles bug bounty site, that screen shot is from the “invalid Reports” section. <a href="https://bughunters.google.com/learn/invalid-reports/google-products/4655949258227712/antigravity-known-issues" target="_blank" rel="noopener nofollow">https://bughunters.google.com/learn/invalid-reports/google-products/4655949258227712/antigravity-known-issues</a>
So im confused now, is the team at Google saying these issues (like the one you demo in the blog) are not issues? Or they are stating it is a issue but its not anything critical to patch?