antigravity-mcp
Warn
Audited by Gen Agent Trust Hub on Mar 15, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The script
scripts/apply-optimizations.shperforms automated patching of JavaScript files within the user's extension directory (~/.antigravity/extensions). - Evidence: The script uses
sed -i ''to modify code withinindex.js,scripts.js, andwait-state.jsto changeMAX_TIMEOUTand other constants. - Context: While intended to optimize performance for the vendor's sidecar extension, modifying executable code at runtime is a risky pattern that can lead to application instability or unintended behavior.
- [PROMPT_INJECTION]: The
analyze_codefunction inag_client.pyingests untrusted data from a user-provided project directory and includes it in prompts sent to the AI, creating a surface for indirect prompt injection. - Ingestion points:
ag_client.py(via theproject_pathargument in theanalyze_codefunction). - Boundary markers: Absent; the project path and the resulting analysis request are interpolated via direct string concatenation without delimiters or instructions to ignore embedded commands.
- Capability inventory: Subprocess execution of local binaries (
ag_client.py,scripts/antigravity_cli.py), and file system write/copy operations (ag_client.py,scripts/antigravity_mcp_client.py). - Sanitization: Absent; the content of the analyzed files is not validated or sanitized before being sent to the AI service.
- [COMMAND_EXECUTION]: Multiple components execute a local binary via the command line.
- Evidence: Scripts such as
ag_client.py,scripts/antigravity_cli.py, andscripts/generate_image.pyuseasyncio.create_subprocess_execto run the binary located at~/.config/antigravity-mcp/bin/antigravity-mcp-server. - Context: This is the primary mechanism for the skill's functionality but relies on the existence and integrity of a local binary on the user's system.
Audit Metadata