Evaluation record ยท google-antigravity

Google Antigravity

vPublic preview (2026)

Google

Agentideagentic-codingparallel-agentsproprietary
59
Concerning
About This Agent

Google's agent-first development platform (launched 2025-11-18 with Gemini 3): an IDE built on licensed Windsurf code where an agent manager orchestrates autonomous agents across editor, terminal, and browser, verifying work through artifacts (plans, task lists, screenshots, recordings). Also the home of the closed-source 'agy' CLI that replaced consumer Gemini CLI (June 2026). Free public preview whose first months were marred by serious, well-documented security failures.

Last Evaluated: July 9, 2026
Official Website

Trust Vector Analysis

Dimension Breakdown

๐Ÿš€Performance & Reliability
+
task completion accuracy

Assessment of agentic task completion using Gemini 3-class models and multi-surface tooling, from vendor documentation and independent reviews

Evidence
Google Developers Blog - Build with Google Antigravity โ€” Agents powered by Gemini 3 Pro (plus Claude Sonnet/Opus and GPT-OSS-120B options) complete asynchronous coding tasks end-to-end, with browser control for verifying web apps
mediumVerified: 2026-07-09
tool use reliability

Review of cross-surface (editor/terminal/browser) tool loop reliability in public preview

Evidence
VentureBeat - Antigravity agent-first architecture โ€” Agents operate editor, terminal, and an embedded browser in one loop; browser-use verification is a differentiator, though preview-quality rough edges are widely reported
mediumVerified: 2026-07-09
multi step planning

Evaluation of plan-artifact generation and adherence on long-horizon tasks

Evidence
Google Developers Blog - Build with Google Antigravity โ€” Agents produce implementation plans and task lists as first-class artifacts before executing, designed for delegating complex multi-step work
mediumVerified: 2026-07-09
memory persistence

Review of cross-task knowledge retention features as documented in preview materials

Evidence
Google Antigravity โ€” Agents accumulate a knowledge base of learnings across tasks within the workspace; persistence depth across projects is not well documented in preview
lowVerified: 2026-07-09
error recovery

Assessment of autonomous iteration and failure handling from launch coverage and user reports

Evidence
VentureBeat - Antigravity agent-first architecture โ€” Agents iterate against test results and browser-verified behavior; preview users report occasional runaway or stalled tasks requiring manual intervention
lowVerified: 2026-07-09
agent collaboration

Review of the agent manager orchestration model for parallel task execution

Evidence
Google Developers Blog - Build with Google Antigravity โ€” The Manager view is a mission-control surface for spawning and supervising multiple agents working in parallel across workspaces
mediumVerified: 2026-07-09
๐Ÿ›ก๏ธSecurity
+

Security is the defining weakness of Antigravity's first six months: a Strict Mode sandbox escape to RCE (reported 2026-01-07, patched 2026-02-28), launch-day credential exfiltration via indirect prompt injection with default-on auto-execution, inherited unpatched Windsurf issues, and an active trojanized-installer campaign. Google's pedigree did not translate into a hardened launch.

tool sandboxing

Security review of the sandbox model against the published bypass; the flaw is patched, but a sandbox defeated by flag injection in a core tool indicates immature enforcement architecture

Evidence
Pillar Security - Prompt Injection leads to RCE and Sandbox Escape in Antigravity โ€” Critical flaw: the find_by_name tool passed its Pattern parameter unsanitized to fd, so injecting the -X (exec-batch) flag executed arbitrary binaries, bypassing Strict Mode entirely because the tool ran before sandbox constraints were evaluated. Reported 2026-01-07, fixed 2026-02-28, disclosed 2026-04-20; triggerable via indirect prompt injection. No CVE assigned
The Hacker News - Google Patches Antigravity IDE Flaw โ€” Google patched the sandbox-escape RCE; Strict Mode's guarantees (network limits, no out-of-workspace writes, sandboxed commands) were shown to be bypassable by a single crafted tool parameter
highVerified: 2026-07-09
access control

Review of default autonomy policies, approval model, and org-level controls in the preview

Evidence
TechRadar Pro - Antigravity's worrying security issues โ€” At launch, default policies ('Agent Decides' review mode, terminal command auto-execution) let agents run commands and read credentials without per-action approval; consumer preview lacks enterprise admin controls
mediumVerified: 2026-07-09
prompt injection defense

Assessment of demonstrated indirect prompt injection attack chains at launch against documented mitigations; multiple independent researchers achieved credential exfiltration with default settings

Evidence
PromptArmor - Google Antigravity Exfiltrates Data โ€” Launch-week demonstration: hidden instructions in a poisoned integration guide made the agent collect .env credentials and exfiltrate them via the browser subagent to webhook.site, which sat on the default URL allowlist
Simon Willison - Google Antigravity Exfiltrates Data โ€” The agent bypassed its own .gitignore protection by cat-ing files through run_command; Google's Bug Hunters page classifies prompt-injection data exfiltration and code execution as 'known issues' ineligible for bounty, several inherited from the Windsurf codebase and reported to Windsurf in May 2025
highVerified: 2026-07-09
data isolation

Review of agent access to local secrets, exfiltration channels, and the ecosystem attack surface around distribution

Evidence
Google Bug Hunters - Antigravity Known Issues โ€” Google acknowledges data exfiltration via the browser agent and prompt-injection code execution as known issues under remediation; workspace secrets and local files are reachable by agents by design
Malwarebytes - Fake Google Antigravity downloads โ€” Supply-chain adjacent risk: malvertised lookalike domains shipped the genuine Antigravity installer trojanized with an infostealer, harvesting browser sessions and credentials within minutes
mediumVerified: 2026-07-09
open source transparency

Source availability assessment, crediting the public known-issues documentation while noting the open-to-closed regression from Gemini CLI

Evidence
The New Stack - Gemini CLI vs Antigravity โ€” Closed-source VS Code fork built on non-exclusively licensed Windsurf code; the agy CLI is a closed Go binary that replaced the Apache-2.0 Gemini CLI (105K+ stars, 6,000+ community PRs). Partial credit: Google publicly documents known security issues and paid Pillar's bounty
highVerified: 2026-07-09
๐Ÿ”’Privacy & Compliance
+
data retention

Review of preview terms of service regarding training use and retention of interaction data

Evidence
Google Antigravity Terms โ€” Preview terms allow Google to use interactions (prompts, code context) to improve and train models by default for consumer accounts, with an opt-out; Workspace/GCP-governed accounts are excluded from training use
mediumVerified: 2026-07-09
gdpr compliance

Compliance posture assessment distinguishing Google-level programs from preview-product guarantees

Evidence
Google Antigravity โ€” Backed by Google's corporate compliance programs (GDPR, ISO/SOC portfolio), but Antigravity itself is a free public preview without product-specific compliance attestations or enterprise data terms
mediumVerified: 2026-07-09
third party data sharing

Data flow analysis of multi-provider model routing

Evidence
Google Developers Blog - Build with Google Antigravity โ€” Model choice includes Anthropic Claude Sonnet/Opus and GPT-OSS-120B alongside Gemini, routing code and prompts to non-Google providers when selected
mediumVerified: 2026-07-09
local deployment option

Deployment options assessment

Evidence
Google Antigravity โ€” IDE and agents run locally on macOS/Windows/Linux, but all model inference is cloud-based with a Google account requirement; no offline or self-hosted inference
highVerified: 2026-07-09
๐Ÿ‘๏ธTrust & Transparency
+
documentation quality

Documentation completeness review for a preview-stage product

Evidence
Google Antigravity โ€” Launch documentation covers the manager surface, artifacts, and model options; security-relevant defaults and policies were underdocumented at launch relative to the product's autonomy
mediumVerified: 2026-07-09
execution traceability

Review of the artifact audit-trail model; genuinely strong design, though artifacts are agent-generated and share the self-reporting caveat

Evidence
VentureBeat - Antigravity agent-first architecture โ€” Artifact-based verification is the product's core idea: agents emit task lists, implementation plans, screenshots, and browser recordings as a reviewable audit trail instead of raw tool-call logs
mediumVerified: 2026-07-09
decision explainability

Assessment of plan and verification artifact quality as explanation mechanisms

Evidence
Google Developers Blog - Build with Google Antigravity โ€” Implementation-plan artifacts expose intended approach before execution, and verification artifacts (screenshots, recordings) evidence what was actually done
mediumVerified: 2026-07-09
open source code

Open source assessment; the deliberate replacement of a major OSS tool with a closed binary weighs against Google here

Evidence
9to5Google - Gemini CLI and Code Assist shutting down for consumers โ€” Closed-source platform; Google shut off the open-source Gemini CLI for consumer tiers on 2026-06-18 and pointed individuals to the closed agy binary, a full rewrite shipping ~20 free requests/day versus Gemini CLI's 1,000
highVerified: 2026-07-09
community activity

Community engagement analysis balancing launch momentum against migration backlash

Evidence
The New Stack - Gemini CLI vs Antigravity โ€” High adoption interest from the Gemini 3 launch wave, but significant community backlash over the Gemini CLI shutdown, free-tier quota cuts, and the closed-source pivot
mediumVerified: 2026-07-09
โš™๏ธOperational Excellence
+
ease of integration

Onboarding and integration friction assessment

Evidence
Google Developers Blog - Build with Google Antigravity โ€” Free download for macOS/Windows/Linux with a familiar VS Code-derived editor, generous Gemini 3 Pro rate limits, and sign-in with a Google account
highVerified: 2026-07-09
scalability

Scalability assessment of parallel agent execution under preview rate limits

Evidence
Google Antigravity โ€” Manager view fans out parallel agents locally; scale is bounded by preview rate limits, which Google adjusts without an SLA
lowVerified: 2026-07-09
cost predictability

Pricing predictability analysis; zero cost today but high uncertainty about limits and future pricing

Evidence
9to5Google - Gemini CLI and Code Assist shutting down for consumers โ€” Currently free, but preview quotas shift without notice, agy's free tier is roughly 20 requests/day, and post-preview pricing is unannounced; the Gemini CLI shutdown shows Google will change individual-tier terms abruptly
mediumVerified: 2026-07-09
monitoring capabilities

Monitoring and governance features assessment for the preview release

Evidence
Google Antigravity โ€” Manager view provides per-agent progress and artifacts, but there are no organizational dashboards, usage analytics, or admin policy controls in the consumer preview
lowVerified: 2026-07-09
production readiness

Product maturity assessment weighing Google's resources against preview status and the 2025-2026 security record

Evidence
Dark Reading - Google Fixes Critical RCE Flaw in Antigravity โ€” Public preview with an eight-week-old critical RCE at disclosure, unresolved 'known issue' prompt-injection classes, forced consumer migration churn from Gemini CLI, and no enterprise tier; Google's backing ensures longevity but not current stability
mediumVerified: 2026-07-09
Strengths
  • +Artifact-based verification (plans, task lists, screenshots, browser recordings) is a best-in-class transparency design
  • +Agent manager orchestrates parallel autonomous agents across editor, terminal, and browser in one surface
  • +First-class Gemini 3 Pro access with model choice (Claude Sonnet/Opus, GPT-OSS-120B) at zero cost in preview
  • +Google patched the critical sandbox-escape RCE within eight weeks of report and paid an external bounty
  • +Cross-platform (macOS/Windows/Linux) with a familiar VS Code-derived editor
Limitations
  • !Worst security launch record among major agent IDEs: launch-day credential exfiltration via indirect prompt injection (PromptArmor, Rehberger), default auto-execution policies, and webhook.site on the default allowlist
  • !Strict Mode sandbox was bypassable to full RCE via -X flag injection in find_by_name (reported 2026-01-07, patched 2026-02-28); no CVE was assigned
  • !Google classifies whole prompt-injection exfiltration classes as 'known issues' ineligible for bounty, several inherited unpatched from the Windsurf codebase
  • !Consumer interactions feed model training by default (opt-out required) unless governed by Workspace/GCP terms
  • !Closed-source pivot: replaced the Apache-2.0 Gemini CLI (shut off for consumers 2026-06-18) with the closed agy binary and ~50x lower free quotas
  • !Trojanized-installer malvertising campaign actively targets its download funnel (Malwarebytes, Apr 2026)
  • !Preview product: no SLA, no enterprise controls, quotas and terms change without notice
Metadata
license: Proprietary (closed-source fork built on non-exclusively licensed Windsurf code; agy CLI is a closed Go binary)
supported models
0: Google Gemini 3 Pro / Gemini 3 family (primary)
1: Anthropic Claude Sonnet 4.5/4.6 and Opus 4.6
2: GPT-OSS-120B
programming languages
0: All languages supported by the VS Code ecosystem
deployment type: Local IDE + CLI (macOS/Windows/Linux) with cloud model inference; Google account required
tool support
0: Editor, terminal, and embedded browser control
1: Agent manager for parallel agents
2: Artifact generation (plans, task lists, screenshots, recordings)
3: MCP support
4: agy CLI for terminal workflows
first release: 2025-11-18 (public preview, launched with Gemini 3); agy CLI became the consumer path after Gemini CLI's consumer shutdown 2026-06-18
pricing: Free public preview with rate limits (agy CLI free tier ~20 requests/day); post-preview pricing unannounced; enterprise access via Gemini Code Assist licenses
security incidents: Launch-week data-exfiltration chains via indirect prompt injection (2025-11-25, PromptArmor/Rehberger; several issues inherited from Windsurf, reported to Windsurf May 2025); Strict Mode sandbox escape to RCE via find_by_name -X flag injection (reported 2026-01-07, patched 2026-02-28, disclosed 2026-04-20 by Pillar Security, no CVE); trojanized-installer malvertising campaign (Malwarebytes, Apr 2026)

Use Case Ratings

code generation

Strong Gemini 3-powered agentic coding with a genuinely novel artifact-verification workflow, held back by preview instability and security caveats

research assistant

Embedded browser control lets agents research documentation and verify behavior, but browsing is also its most-exploited attack surface

data analysis

Capable of building and running analysis code across editor and terminal; no analytics-specific tooling

education

Free access and visible plans/artifacts aid learning, but default autonomy settings are a poor fit for unsupervised beginners