Google Antigravity
vPublic preview (2026)Google's agent-first development platform (launched 2025-11-18 with Gemini 3): an IDE built on licensed Windsurf code where an agent manager orchestrates autonomous agents across editor, terminal, and browser, verifying work through artifacts (plans, task lists, screenshots, recordings). Also the home of the closed-source 'agy' CLI that replaced consumer Gemini CLI (June 2026). Free public preview whose first months were marred by serious, well-documented security failures.
Trust Vector Analysis
Dimension Breakdown
๐Performance & Reliability+
Assessment of agentic task completion using Gemini 3-class models and multi-surface tooling, from vendor documentation and independent reviews
Review of cross-surface (editor/terminal/browser) tool loop reliability in public preview
Evaluation of plan-artifact generation and adherence on long-horizon tasks
Review of cross-task knowledge retention features as documented in preview materials
Assessment of autonomous iteration and failure handling from launch coverage and user reports
Review of the agent manager orchestration model for parallel task execution
๐ก๏ธSecurity+
Security is the defining weakness of Antigravity's first six months: a Strict Mode sandbox escape to RCE (reported 2026-01-07, patched 2026-02-28), launch-day credential exfiltration via indirect prompt injection with default-on auto-execution, inherited unpatched Windsurf issues, and an active trojanized-installer campaign. Google's pedigree did not translate into a hardened launch.
Security review of the sandbox model against the published bypass; the flaw is patched, but a sandbox defeated by flag injection in a core tool indicates immature enforcement architecture
Review of default autonomy policies, approval model, and org-level controls in the preview
Assessment of demonstrated indirect prompt injection attack chains at launch against documented mitigations; multiple independent researchers achieved credential exfiltration with default settings
Review of agent access to local secrets, exfiltration channels, and the ecosystem attack surface around distribution
Source availability assessment, crediting the public known-issues documentation while noting the open-to-closed regression from Gemini CLI
๐Privacy & Compliance+
Review of preview terms of service regarding training use and retention of interaction data
Compliance posture assessment distinguishing Google-level programs from preview-product guarantees
Data flow analysis of multi-provider model routing
Deployment options assessment
๐๏ธTrust & Transparency+
Documentation completeness review for a preview-stage product
Review of the artifact audit-trail model; genuinely strong design, though artifacts are agent-generated and share the self-reporting caveat
Assessment of plan and verification artifact quality as explanation mechanisms
Open source assessment; the deliberate replacement of a major OSS tool with a closed binary weighs against Google here
Community engagement analysis balancing launch momentum against migration backlash
โ๏ธOperational Excellence+
Onboarding and integration friction assessment
Scalability assessment of parallel agent execution under preview rate limits
Pricing predictability analysis; zero cost today but high uncertainty about limits and future pricing
Monitoring and governance features assessment for the preview release
Product maturity assessment weighing Google's resources against preview status and the 2025-2026 security record
- +Artifact-based verification (plans, task lists, screenshots, browser recordings) is a best-in-class transparency design
- +Agent manager orchestrates parallel autonomous agents across editor, terminal, and browser in one surface
- +First-class Gemini 3 Pro access with model choice (Claude Sonnet/Opus, GPT-OSS-120B) at zero cost in preview
- +Google patched the critical sandbox-escape RCE within eight weeks of report and paid an external bounty
- +Cross-platform (macOS/Windows/Linux) with a familiar VS Code-derived editor
- !Worst security launch record among major agent IDEs: launch-day credential exfiltration via indirect prompt injection (PromptArmor, Rehberger), default auto-execution policies, and webhook.site on the default allowlist
- !Strict Mode sandbox was bypassable to full RCE via -X flag injection in find_by_name (reported 2026-01-07, patched 2026-02-28); no CVE was assigned
- !Google classifies whole prompt-injection exfiltration classes as 'known issues' ineligible for bounty, several inherited unpatched from the Windsurf codebase
- !Consumer interactions feed model training by default (opt-out required) unless governed by Workspace/GCP terms
- !Closed-source pivot: replaced the Apache-2.0 Gemini CLI (shut off for consumers 2026-06-18) with the closed agy binary and ~50x lower free quotas
- !Trojanized-installer malvertising campaign actively targets its download funnel (Malwarebytes, Apr 2026)
- !Preview product: no SLA, no enterprise controls, quotas and terms change without notice
Use Case Ratings
code generation
Strong Gemini 3-powered agentic coding with a genuinely novel artifact-verification workflow, held back by preview instability and security caveats
research assistant
Embedded browser control lets agents research documentation and verify behavior, but browsing is also its most-exploited attack surface
data analysis
Capable of building and running analysis code across editor and terminal; no analytics-specific tooling
education
Free access and visible plans/artifacts aid learning, but default autonomy settings are a poor fit for unsupervised beginners