Summary
setup/sh/install_antigravity_cli.sh silently skips SHA256 checksum verification when checksums.txt returns HTTP 404, then installs an unverified binary as /usr/local/bin/agy with sudo install. This creates a conditional supply chain integrity gap.
Vulnerable code path
# setup/sh/install_antigravity_cli.sh
VERIFY_CHECKSUM=true
if [ "${CHECKSUMS_DOWNLOAD_STATUS}" = "404" ]; then
echo "WARNING: checksums.txt not found for version ${VERSION}; skipping checksum verification."
rm -f "${TEMP_DIR}/checksums.txt"
VERIFY_CHECKSUM=false # ← unverified binary proceeds to installation
elif ...
...
if [ "${VERIFY_CHECKSUM}" = "true" ]; then
# checksum verified
else
echo "WARNING: Proceeding without checksum verification for ${TARBALL_NAME}"
fi
sudo install -m 755 "${TEMP_DIR}/antigravity" "${INSTALL_DIR}/${BINARY_NAME}"Threat model
For this bypass to be weaponized, an attacker needs:
- **Write access to
(antigravitypublic/redacted) (to serve a malicious binary without a checksums.txt`), OR
- Control over the
VERSION argument to request a version whose checksums.txt does not exist on GCS while the binary tarball does.
Because the antigravity-public GCS bucket is publicly named and readable, any version path that exists without a checksums.txt silently installs whatever is at that URL.
Impact
- Binary is installed as a privileged executable (
/usr/local/bin/agy)
- Runs inside GitHub Actions runners used for agentic workflows with elevated credentials
- The script is deployed to every runner that uses the Antigravity engine via
setup/sh/
Recommended fix
Replace the 404 warning+continue path with a hard failure:
if [ "${CHECKSUMS_DOWNLOAD_STATUS}" = "404" ]; then
echo "ERROR: checksums.txt not found for version ${VERSION} — refusing to install unverified binary."
exit 1
fiIf development/pre-release versions genuinely need to skip verification, that should be an explicit opt-in flag (e.g., --skip-checksum) that callers must consciously pass, not a silent fallback.
Other findings (clean)
- OTLP telemetry: Entirely opt-in, user-configured endpoints only — not a threat.
validate_secrets.cjs: Calls only first-party API endpoints (api.github.com, api.anthropic.com, api.openai.com, api.search.brave.com) for diagnostic validation — no exfiltration patterns found.- Standard install scripts (
install_copilot_cli.sh, install_awf_binary.sh, install_threat_detect_binary.sh): All use mandatory SHA256 verification — clean.
- Network proxies: DIFC integrity filtering is expected security architecture — clean.
- No crypto mining, no obfuscated blobs, no exfiltration to untrusted third-party endpoints.
Generated by Daily Runtime Threat Scan for issue #172 · 1.1K AIC · ⊞ 36.4K · ◷
Summary
setup/sh/install_antigravity_cli.shsilently skips SHA256 checksum verification whenchecksums.txtreturns HTTP 404, then installs an unverified binary as/usr/local/bin/agywithsudo install. This creates a conditional supply chain integrity gap.Vulnerable code path
Threat model
For this bypass to be weaponized, an attacker needs:
(antigravitypublic/redacted) (to serve a malicious binary without achecksums.txt`), ORVERSIONargument to request a version whosechecksums.txtdoes not exist on GCS while the binary tarball does.Because the
antigravity-publicGCS bucket is publicly named and readable, any version path that exists without achecksums.txtsilently installs whatever is at that URL.Impact
/usr/local/bin/agy)setup/sh/Recommended fix
Replace the 404 warning+continue path with a hard failure:
If development/pre-release versions genuinely need to skip verification, that should be an explicit opt-in flag (e.g.,
--skip-checksum) that callers must consciously pass, not a silent fallback.Other findings (clean)
validate_secrets.cjs: Calls only first-party API endpoints (api.github.com,api.anthropic.com,api.openai.com,api.search.brave.com) for diagnostic validation — no exfiltration patterns found.install_copilot_cli.sh,install_awf_binary.sh,install_threat_detect_binary.sh): All use mandatory SHA256 verification — clean.