Problem
The model-facing run_python tool uses in-process Python exec() with restricted imports.
Even with restrictions, executing model-generated code in the backend process is a high-risk pattern and should be reviewed as a separate security boundary.
Risk
A bypass in the restrictions could expose backend process memory, environment variables, filesystem access, network access, or service credentials. In-process execution also creates availability risks through CPU, memory, or infinite-loop abuse.
Expected behavior
Model-generated Python should either be removed, tightly sandboxed out of process, or constrained to a narrow, audited execution model.
Acceptance criteria
- Document whether
run_python is required for product behavior.
- If required, move execution to an isolated sandbox with resource limits and no ambient service credentials.
- If not required, remove or disable the tool.
- Add tests for blocked imports, filesystem/network access, timeout/resource limits, and error handling.
- Confirm observability logs capture blocked/failed executions without leaking sensitive code or outputs.
Problem
The model-facing
run_pythontool uses in-process Pythonexec()with restricted imports.Even with restrictions, executing model-generated code in the backend process is a high-risk pattern and should be reviewed as a separate security boundary.
Risk
A bypass in the restrictions could expose backend process memory, environment variables, filesystem access, network access, or service credentials. In-process execution also creates availability risks through CPU, memory, or infinite-loop abuse.
Expected behavior
Model-generated Python should either be removed, tightly sandboxed out of process, or constrained to a narrow, audited execution model.
Acceptance criteria
run_pythonis required for product behavior.