The attack that arrives in your calendar and waits

Most attacks need you to do something: click a link, open an attachment, type a password into the wrong box. The promptware attacks demonstrated against Gemini by SafeBreach researchers Ben Nassi, Stav Cohen, and Or Yair need you to do something too, but the something is so ordinary you would never think twice about it. You ask your AI assistant what is on your schedule.

Their research, titled "Invitation Is All You Need," targets Gemini as it lives inside Google Workspace - the version threaded through Gmail, Calendar, and the rest, able to summarize your day and increasingly able to take actions through connected tools. The delivery mechanism is a Google Calendar invitation. The attacker puts an indirect prompt injection into the invite's title (and body), then sends it to the victim. That is the entire payload. The invite sits there, doing nothing, until Gemini reads it.

How a meeting title becomes a command

Indirect prompt injection is the now-familiar failure where a model cannot tell the difference between content it is supposed to summarize and instructions it is supposed to obey. The two arrive as the same stream of tokens. When the victim later asks Gemini something innocent - "what's on my calendar?", "summarize my week" - Gemini dutifully pulls in the relevant calendar data to answer. Among that data is the attacker's invite, and inside the invite is text written to read as instructions rather than as a meeting subject.

The researchers call the result delayed automatic tool invocation. The malicious instructions do not fire when the invite arrives. They fire later, when the user's own innocuous request causes Gemini to ingest the poisoned context. By then the trigger looks like the user's idea. From the victim's point of view, they asked about their calendar; from Gemini's point of view, it received a calendar entry that told it to do something else entirely, using whatever agents and tool permissions the assistant has available.

The detail that makes the calendar vector nasty is that the victim does not even have to accept the invite. The poisoned text is in the calendar regardless, waiting for Gemini to read it during a routine query. The attack hides inside a feature - calendar awareness - that exists precisely so the assistant can be helpful.

Fourteen scenarios, and the one that opens your windows

The paper lays out 14 attack scenarios spanning a range of harms, and lateral movement between Gemini's tools, between different agents, and across applications. Several are the kind of digital mischief you would expect once an assistant can be steered:

• Spam and phishing generated and sent in the victim's voice.
• Toxic and abusive content produced on demand.
• Deleting the victim's calendar events, quietly rearranging their life.
• Data exfiltration, including assembling stolen data into a URL the assistant is induced to fetch.
• Geolocating the victim by forcing a visit to a tracking URL, and recording the victim by driving a connected app such as Zoom.

And then the part that lifts this out of the usual prompt-injection drawer: the physical-world actions. Because Gemini's agent ecosystem can reach into Google's smart-home integrations, the researchers showed a poisoned calendar invite driving Gemini to control connected devices - opening smart windows and turning on a boiler, among other actions. This is the line a lot of AI security research has been gesturing at for a while, crossed in a lab: a sentence in a calendar field, processed by an assistant, reaching out and moving something in your actual house.

The researchers assessed the severity of the scenarios and found a large majority of the identified threats fell into the High-Critical band, the kind warranting prompt mitigation rather than a shrug.

Why the physical dimension matters

Plenty of prompt-injection incidents end at data: read the private thing, leak the private thing. That is serious, but it is legible. We have decades of intuition about information theft. What "Invitation Is All You Need" demonstrates is that once you wire an AI assistant to agents that actuate the world - locks, windows, heating, recording devices - the blast radius of a prompt-injection bug stops being purely informational. A boiler turned on while you are away, a window opened, a microphone or camera activated: these are safety questions, and not merely privacy ones.

The uncomfortable part is that none of the individual pieces are misconfigured in an obvious way. Gemini reading your calendar is a feature. Gemini being able to control your smart home is a feature. Gemini acting on a plain request like "what's on my calendar?" is the feature. The vulnerability lives in the seam, where untrusted text from a third party (the invite) flows into a privileged actor (the assistant with home-control tools) through a trusted-looking channel (your own calendar query). Each capability was added for a good reason. Composed without a hard boundary between "content to summarize" and "instructions to execute," they become a remote control an attacker can mail to you.

Disclosure and Google's response

This was responsible research, not an in-the-wild attack. The researchers disclosed the findings to Google around February 2025. Google acknowledged the work, and - per the reporting - treated it seriously enough to reprioritize internal workstreams and mobilize teams in response, publishing guidance on defending against prompt injection and rolling out mitigations including behavior-based detection and additional user-verification steps. By the time the work was presented publicly in August 2025, at Black Hat USA and DEF CON, Google said its mitigations had pulled the assessed risk down substantially.

Two honest caveats. First, this is a proof of concept: there is no public evidence that these attacks were used against real Google Workspace customers. The harm is demonstrated capability, not confirmed exploitation. Second, the most cinematic scenarios - the smart-home actions - depend on the victim having the relevant integrations connected and reachable by Gemini. Not every user is exposed to the boiler trick. But "only the users who connected their smart home" is not a comforting carve-out when connecting your smart home is exactly what these products are nudging everyone to do.

Graveyard lesson

"Invitation Is All You Need" earns its place here for proving, concretely, that AI prompt injection can reach off the screen and into physical space. The standout is not that Gemini could be made to write spam; it is that a calendar invite could end with a window open and a boiler running.

The defensive lessons are the ones the field keeps relearning. Untrusted third-party content - and a calendar invite from a stranger is exactly that - must not be allowed to flow into an assistant's instruction stream as if the user wrote it. High-consequence tool actions, and physical-world actions most of all, deserve explicit, in-the-moment user confirmation rather than silent invocation triggered by a casual query. And capabilities should be scoped so that asking "what's on my calendar?" cannot, by itself, become permission to operate the house. An assistant that can do anything for you can be told to do anything to you, and the instruction can arrive in a meeting invite you never even opened.