Gemini Spark wires an agent into your inbox, and Simon Willison is worried
At Google I/O, Google introduced Gemini Spark, a personal assistant that connects directly to Gmail, Calendar, Drive, Docs, Sheets, Slides, YouTube, and Maps. Simon Willison's write-up is less interested in the demo than in what happens when an agent with that much access meets untrusted input.
Spark runs on Gemini 3.5 Flash, and Google's own FAQ adds that it also runs on Antigravity, which Willison finds odd, since Antigravity is a developer tool, a desktop app and VS Code fork, not an obvious thing to name in consumer documentation. His real concern is prompt injection. People will route sensitive email and documents through Spark, and a malicious message or web page could try to redirect the agent. Google says each task runs in a fresh, strictly isolated, ephemeral virtual machine so data does not leak between sessions, but Willison notes there is little public detail on how Spark resists an injection in the first place. He thinks this is a strong candidate for the kind of agent security failure the field has been bracing for.
He also flags a quieter change. The Apache-2.0 licensed, open-source Gemini CLI stops working with Google's AI subscription plans on June 18, replaced by the closed-source Antigravity CLI.
Why it matters
If you are about to let an inbox-connected agent loose on company data, ephemeral VMs protect you from cross-session leaks, not from an email that tells the agent to forward your files. Treat any content the agent reads as a possible instruction, and wait for Google to explain its injection defenses before trusting Spark with anything sensitive.