Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
jsmith99 6 hours ago

There's nothing specific to Gemini and Antigravity here. This is an issue for all agent coding tools with cli access. Personally I'm hesitant to allow mine (I use Cline personally) access to a web search MCP and I tend to give it only relatively trustworthy URLs.

ArcHound 6 hours ago | parent | next [-]

For me the story is that Antigravity tried to prevent this with a domain whitelist and file restrictions.

They forgot about a service which enables arbitrary redirects, so the attackers used it.

And LLM itself used the system shell to pro-actively bypass the file protection.

dabockster 4 hours ago | parent | prev | next [-]

> Personally I'm hesitant to allow mine (I use Cline personally) access to a web search MCP and I tend to give it only relatively trustworthy URLs.

Web search MCPs are generally fine. Whatever is facilitating tool use (whatever program is controlling both the AI model and MCP tool) is the real attack vector.

connor4312 3 hours ago | parent | prev | next [-]

Copilot will prompt you before accessing untrusted URLs. It seems a crux of the vulnerability that the user didn't need to consent before hitting a url that was effectively an open redirect.

simonw 3 hours ago | parent [-]

Which Copilot?

Does it do that using its own web fetch tool or is it smart enough to spot if it's about to run `curl` or `wget` or `python -c "import urllib.request; print(urllib.request.urlopen('https://www.example.com/').read())"`?

informal007 3 hours ago | parent | prev | next [-]

Speaking of filtering trustworthy URLs, Google is the best option to do that because he has more historical data in search business.

Hope google can do something for preventing prompt injection for AI community.

danudey 2 hours ago | parent | next [-]

Maybe if they incorporated this into their Safe Browsing service that could be useful. Otherwise I'm not sure what they're going to do about it. It's not like they can quickly push out updates to Antigravity users, so being able to identify issues in real time isn't useful without users being able to action that data in real time.

simonw 2 hours ago | parent | prev [-]

I don't think Google get an advantage here, because anyone can spin up a brand new malicious URL on an existing or fresh domain any time they want to.

IshKebab 5 hours ago | parent | prev [-]

I do think they deserve some of the blame for encouraging you to allow all commands automatically by default.

buu700 4 hours ago | parent [-]

YOLO-mode agents should be in a dedicated VM at minimum, if not a dedicated physical machine with a strict firewall. They should be treated as presumed malware that just happens to do something useful as a side effect.

Vendors should really be encouraging this and providing tooling to facilitate it. There should be flashing red warnings in any agentic IDE/CLI whenever the user wants to use YOLO mode without a remote agent runner configured, and they should ideally even automate the process of installing and setting up the agent runner VM to connect to.