Google Antigravity — agentic threat model
Google Antigravity presents a high-risk profile due to its autonomous execution capabilities across local terminals, editors, and browsers, which could be exploited via prompt injection to execute arbitrary code on developer machines.
OWASP AIVSS score rationale
| Autonomy of Action | 0.85 | |
| Goal-Driven Planning | 0.90 | |
| Self-Modification | 0.30 | |
| Dynamic Tool Use | 0.95 | |
| Persistent Memory | 0.50 | |
| Contextual Awareness | 0.80 | |
| Dynamic Identity | 0.20 | |
| Multi-Agent Interactions | 0.80 | |
| Non-Determinism | 0.70 | |
| Opacity & Reflexivity | 0.40 |
Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.
MAESTRO 7-layer threat model
Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.
Utilizes Gemini 3 Pro and other leading models. Highly vulnerable to indirect prompt injection where malicious code in a repository manipulates the model into generating backdoored code or executing harmful terminal commands.
Not certain from the listing — The mechanism for indexing local codebases, managing embeddings, or handling RAG is not detailed, leaving potential gaps in data provenance and local codebase exfiltration risks.
Features autonomous coding agents that plan, code, test, and debug. The primary threat is tool misuse, specifically the agent being tricked into executing destructive or unauthorized commands via the integrated terminal.
Runs locally on Windows, macOS, and Linux. Without explicit sandboxing mentioned, a compromise of the agent's terminal or browser tool translates directly to local host compromise and potential lateral movement in the developer's network.
Includes an 'Artifacts' system to surface plans, patches, logs, and screenshots. While this aids observability, sophisticated prompt injections could attempt to game or bypass these logs to hide malicious activities.
Not certain from the listing — No enterprise-grade access controls, compliance certifications, or policy enforcement mechanisms are detailed for this preview version.
Orchestrates multiple agents in parallel workspaces via the Agent Manager. This introduces risks of agent-to-agent trust abuse, where a compromised sub-agent passes malicious instructions or code patches to a peer agent.
MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).
These scores are auto-generated from public information (the agent's own listing, docs, and repository) using the canonical OWASP AIVSS formula and the MAESTRO framework — an estimate for guidance, not a penetration test, audit, or certification. See the scoring methodology. Are you the vendor? Factual corrections are free.