Skip to content

run_python is risky #136

Description

@anth-volk

Problem

The model-facing run_python tool uses in-process Python exec() with restricted imports.

Even with restrictions, executing model-generated code in the backend process is a high-risk pattern and should be reviewed as a separate security boundary.

Risk

A bypass in the restrictions could expose backend process memory, environment variables, filesystem access, network access, or service credentials. In-process execution also creates availability risks through CPU, memory, or infinite-loop abuse.

Expected behavior

Model-generated Python should either be removed, tightly sandboxed out of process, or constrained to a narrow, audited execution model.

Acceptance criteria

  • Document whether run_python is required for product behavior.
  • If required, move execution to an isolated sandbox with resource limits and no ambient service credentials.
  • If not required, remove or disable the tool.
  • Add tests for blocked imports, filesystem/network access, timeout/resource limits, and error handling.
  • Confirm observability logs capture blocked/failed executions without leaking sensitive code or outputs.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions