By giving AI agents access to code execution tools, it might be possible for an attacker’s code to be executed, through prompt injection,
hallucination, or other means. When this code is executed on the host system without any form of sandboxing, it might be possible for an attacker to
gain access to the host system, leading to a data breach or other security issues.
Ask Yourself Whether
- The AI agent takes in user input, which might be manipulated through prompt injection.
- The AI agent has access to tool calls that use uncontrolled APIs or services, which may lead to indirect prompt injection.
- The AI agent runs without any form of sandboxing.
There is a risk if you answer yes to any of the above questions.
Recommended Secure Coding Practices
Make sure that all code that originates from untrusted sources, including code that is generated by AI agents, is run in a sandboxed
environment.
Sensitive Code Example
For Claude Code SDK:
from claude_code_sdk import ClaudeCodeOptions
client = ClaudeSDKClient(
options=ClaudeCodeOptions(
system_prompt=f"Solve an example problem for me.",
max_turns=2,
permission_mode="bypassPermissions", # Sensitive
)
)
For OpenInterpreter:
from interpreter import interpreter
interpreter.auto_run = True # Sensitive
interpreter.chat(f"Solve an example problem for me.")
For Hugging Face smolagents
:
from smolagents import CodeAgent
agent = CodeAgent(executor_type="local") # Sensitive
For Microsoft AutoGen:
from autogen import AssistantAgent, UserProxyAgent
assistant = AssistantAgent("assistant", llm_config={"model": "gpt-4o-mini"})
user = UserProxyAgent(
"user",
human_input_mode="NEVER",
code_execution_config={"work_dir": ".", "use_docker": False}, # Sensitive
)
user.initiate_chat(assistant, message="Solve an example problem for me.")
For CrewAI:
from crewai import Agent, Task, Crew
from crewai_tools import CodeInterpreterTool
from langchain_openai import ChatOpenAI
coder = Agent(
role="Coder",
goal="Write and run Python",
backstory="Executes code.",
tools=[CodeInterpreterTool(unsafe_mode=True)], # Sensitive
llm=ChatOpenAI(model="gpt-4o-mini"),
verbose=True,
)
task = Task(
description="Solve an example problem for me.", agent=coder
)
Crew(agents=[coder], tasks=[task]).kickoff()
For Langchain:
from langchain_openai import ChatOpenAI
from langchain_community.tools import PythonREPLTool
from langchain.agents import initialize_agent, AgentType
llm = ChatOpenAI(model="gpt-4o-mini", temperature=0)
agent = initialize_agent(
[PythonREPLTool()], # Sensitive
llm,
agent=AgentType.ZERO_SHOT_REACT_DESCRIPTION,
verbose=True,
)
agent.run("Solve an example problem for me.")
Compliant Solution
For Claude Code SDK:
from claude_code_sdk import ClaudeCodeOptions
client = ClaudeSDKClient(
options=ClaudeCodeOptions(
system_prompt=f"Solve an example problem for me.",
max_turns=2,
)
)
For OpenInterpreter:
from interpreter import interpreter
interpreter.chat(f"Solve an example problem for me.")
For Hugging Face smolagents
:
from smolagents import CodeAgent, InferenceClientModel
agent = CodeAgent(
model=InferenceClientModel(), tools=[], executor_type="docker"
)
For Microsoft AutoGen:
from autogen import AssistantAgent, UserProxyAgent
assistant = AssistantAgent("assistant", llm_config={"model": "gpt-4o-mini"})
user = UserProxyAgent(
"user",
human_input_mode="NEVER",
code_execution_config={"work_dir": "."},
)
user.initiate_chat(assistant, message="Solve an example problem for me.")
For CrewAI:
from crewai import Agent, Task, Crew
from crewai_tools import CodeInterpreterTool
from langchain_openai import ChatOpenAI
coder = Agent(
role="Coder",
goal="Write and run Python",
backstory="Executes code.",
tools=[CodeInterpreterTool()],
llm=ChatOpenAI(model="gpt-4o-mini"),
verbose=True,
)
task = Task(
description="Solve an example problem for me.", agent=coder
)
Crew(agents=[coder], tasks=[task]).kickoff()
For Langchain, no built-in solution is available, so the user must take care of sandboxing the code themselves. This can for example be done by
running the agent in a Docker container (without access to the host system).
See