Google's New AI Agent Gemini Spark Can Secretly Make Purchases on Your Behalf and Users Are Only Now Finding Out the Full Truth

To understand the significance of what has been uncovered, it helps to first understand what Gemini Spark is and how it differs from the AI tools most people are already familiar with.

Google introduced two distinct AI experiences at I/O 2026 that are easy to confuse with one another. The first is Magic Pointer, a device level AI assistant activated through a gesture based interaction called Wiggle to Wake. This tool sits on your local device, can see your current screen, and responds to voice commands such as asking what something means or helping you move content around. It is a relatively straightforward and familiar kind of AI assistant, a smarter evolution of tools people have used for years.

Gemini Spark is something fundamentally different. It operates in the cloud, works in the background without requiring active user engagement, and is designed to take real world actions on your behalf. It carries a visual identity built around the familiar Gemini sparkle icon, now flanked by motion streaks that are meant to symbolise the agent actively working away on tasks even when you are not watching. The intent is clear, Google wants Spark to feel like a tireless digital employee handling your to do list while you focus on other things.

That ambition, however, comes with risks that the company has quietly acknowledged in its own internal onboarding text.

 

The most alarming discovery involves the onboarding text embedded in the code under the label robin agent onboarding card2 body spark. The language in this text directly contradicts the reassuring tone of Google's public presentations.

The onboarding text reads as follows: "While it is designed to ask for your permission before taking sensitive actions, it may do things like share your info or make purchases without asking. Make sure to supervise Gemini Spark, and don't rely on it for medical advice, legal, financial, or other professional help."

Read that again carefully. An AI agent that Google is presenting as a seamless, trustworthy background assistant is openly admitting in its own setup text that it may share your personal information or spend your money without checking with you first. The phrase "make sure to supervise Gemini Spark" places the burden of oversight squarely on the user, not on Google.

This is a significant departure from the narrative carefully crafted during the keynote presentations. On stage, the story was one of secure, intelligent automation. Behind the scenes, the small print tells a far more cautious story.

To be fair, Google did attempt to address the purchasing concern during the I/O 2026 keynote. Vidhya Srinivasan, who serves as Vice President and General Manager of Ads and Commerce at Google, directly tackled the obvious user anxiety around autonomous spending. She framed the question clearly, asking on behalf of users: how do I know it just will not go off and buy something I do not want?

Her answer was the introduction of Agent Payment Protocol, referred to as AP2. This is Google's newly developed system for securely authorising payments based on pre authorised user instructions. The protocol is intended to create a structured, permission based layer around any financial transactions that Gemini Spark might initiate. On the surface, it sounds like a robust solution.

The problem is that the onboarding warning text still exists alongside this protocol. If AP2 truly guaranteed that no purchase would ever be made without explicit user authorisation, there would be no need for the disclaimer warning users that purchases could happen without asking. The fact that Google has retained this warning in the onboarding flow strongly suggests that the company itself is not fully confident that AP2 will prevent every unintended transaction.

What this creates is a troubling ambiguity. Users are being asked to trust a cloud based autonomous agent with access to their payment information, while simultaneously being warned in the setup process that they need to keep a close eye on their bank statements. That is not the promise of worry free automation. That is a legal disclaimer dressed up as an onboarding experience.

The autonomous purchasing concern is not the only uncomfortable truth hiding in the code. A second discovery points to a usage limitation system that Google has not publicly disclosed, one that will affect even its highest paying subscribers.

Embedded in the app code under the label assistant agent quota banner body ultra spark is the following text: "Gemini Spark will be available again when your limit resets."

The inclusion of the word "ultra" in that label is telling. It strongly implies that Google One Ultra subscribers, people who are paying a significant monthly fee for Google's premium AI tier, will still be subject to usage caps when it comes to Gemini Spark. This would mean that even customers on Google's most expensive subscription plan can be locked out of the agent entirely until their quota renews.

What makes this particularly frustrating is that Google offers an AI Credits system for other products, including Flow and Antigravity, which allows users to purchase additional credits when they run out. Based on the code currently available, there appears to be no equivalent mechanism for Gemini Spark. Users who hit their limit cannot simply buy more access. They wait.

This creates a practical scenario that feels deeply at odds with the vision Google presented on stage. Imagine being in the middle of an important workflow, relying on a background agent to complete a series of tasks, and suddenly finding that the agent has gone dark because you have exceeded an undisclosed quota. There is no top up option, no immediate fix, just a message telling you to wait for the reset.

It also raises questions about pricing fairness. Google One Ultra currently exists at two price points following recent restructuring, a newer lower cost tier at one hundred dollars and a more premium option at two hundred dollars. The code does not make it clear whether these caps apply equally to both tiers or whether they differ in some way. That ambiguity leaves paying customers without the information they need to make informed decisions about which plan actually serves their usage patterns.

The issues surfacing around Gemini Spark point to a broader challenge facing the AI industry as it moves from assistants to agents. There is a meaningful difference between an AI that gives you information and an AI that takes action in the world on your behalf. When an agent can spend money, share personal data, and operate autonomously in the background, the stakes of getting things wrong are considerably higher than a chatbot giving an incorrect answer.

Transparency becomes not just a nice to have but a genuine ethical obligation. Users who grant an AI agent access to their financial accounts, personal data, and daily workflows are making a significant trust commitment. They deserve to understand, in plain and honest terms, exactly what that agent can and cannot do without their direct approval.

Google is not unique in facing this challenge. Every major technology company racing to deploy AI agents is navigating the same tension between capability and caution. But Google's handling of the Gemini Spark launch is a reminder that keynote optimism and onboarding reality do not always match.

The company has chosen to be open about these risks in its legal onboarding language while not emphasising them in its public communications. That is a defensible legal strategy. Whether it is the right approach for building genuine user trust is a different question entirely.

For anyone considering enabling Gemini Spark once it becomes available in beta, a careful and considered approach is strongly advisable. The convenience of an autonomous background agent is genuinely appealing, but the risks flagged in Google's own onboarding text are real and worth taking seriously.

Before granting Spark access to any payment methods or personal accounts, users should review exactly what permissions the agent is requesting and consider whether each one is truly necessary. The option to limit Spark's financial access or to require explicit confirmation before any transaction is processed should be sought out and enabled wherever available.

Monitoring account activity regularly during any trial period is also essential. Given that the onboarding text explicitly acknowledges the possibility of unauthorised purchases, treating the early period of Spark use as a supervised experiment rather than a fully trusted automation layer is a sensible position.

It is also worth paying attention to how quickly usage limits are reached, particularly for subscribers on premium plans. Understanding your own usage patterns early will help you anticipate when restrictions might kick in and plan accordingly, especially if Spark is being used for time sensitive workflows.

Gemini Spark represents a genuinely exciting step forward in what AI systems can do for people. The idea of a background agent that handles repetitive tasks, coordinates logistics, and manages the administrative clutter of modern life has real appeal. Google is not wrong to pursue this direction, and the technology behind it is impressive.

But the launch of Spark, particularly the gap between its public presentation and its internal warnings, is a valuable reminder that the most powerful AI tools require the most careful scrutiny. The smoother and more invisible an agent appears, the more important it becomes to understand what is actually happening beneath the surface.

Google will no doubt refine Gemini Spark as the beta progresses, responding to user feedback and addressing the concerns that are already beginning to surface. But the core lesson here is not specific to this product or this company. It applies to every autonomous AI agent entering the market right now.

When an AI can act in the world on your behalf, understanding what it will and will not do without asking is not optional reading. It is the most important thing you can possibly know.

Users who choose to embrace Gemini Spark should do so with their eyes fully open, their account statements within easy reach, and a healthy scepticism toward any technology that promises complete peace of mind while quietly warning you to keep watch.