Last updated: July 2026 · Orchesis reference

Agent Sandbox Escape

Agent sandbox escape is when an AI agent breaks out of the isolated environment meant to contain its code and tool execution, reaching the host machine, internal network, or secrets it should never touch. It happens through container escapes, over-broad file or network permissions, host credentials left inside the sandbox, or prompt injection that drives the agent to abuse a resource that was legitimately mounted. Because agents run arbitrary tool calls and generated code, a weak sandbox turns a single injected instruction into full host compromise. The core defense is strong isolation (containers or microVMs), least privilege, no host secrets in the sandbox, and a strict egress allowlist.

How agent sandbox escape happens

An agent sandbox is meant to let the model run code and tools without endangering the host. Escapes occur when the boundary is too permissive: a container run with excess capabilities or a mounted Docker socket, a filesystem that exposes host paths, network access to internal services, or environment variables carrying cloud credentials. Prompt injection amplifies each of these — the attacker does not need a kernel exploit if the sandbox already grants a path to secrets.

Common escape vectors

How to sandbox an AI agent

  1. Strong isolation — run tool and code execution in a container or microVM, never directly on the host.
  2. Least privilege — drop capabilities, run as non-root, and expose no host socket.
  3. No secrets inside — keep host credentials out of the sandbox; broker access through a proxy that holds the keys.
  4. Ephemeral scratch filesystem — restrict writes to a disposable directory, mount nothing from the host.
  5. Egress allowlist — permit only approved outbound destinations to prevent exfiltration and internal pivots.
  6. Approval and monitoring — require human sign-off for irreversible actions and log every tool call from outside the sandbox.

Context

Sandbox escape maps onto OWASP's agentic-AI risks around excessive agency and insecure tool use, and it is catalogued in the CASURA taxonomy of AI-agent vulnerabilities. The practical rule: assume the model inside the sandbox is adversarial, and design the boundary so that even a fully hijacked agent cannot reach the host, secrets, or the internal network.

Sources: OWASP Agentic Security Project · CASURA taxonomy (Orchesis) · container and microVM isolation guidance. Reference maintained by Orchesis, an open-source AI-agent security proxy.