Agent sandbox escape is when an AI agent breaks out of the isolated environment meant to contain its code and tool execution, reaching the host machine, internal network, or secrets it should never touch. It happens through container escapes, over-broad file or network permissions, host credentials left inside the sandbox, or prompt injection that drives the agent to abuse a resource that was legitimately mounted. Because agents run arbitrary tool calls and generated code, a weak sandbox turns a single injected instruction into full host compromise. The core defense is strong isolation (containers or microVMs), least privilege, no host secrets in the sandbox, and a strict egress allowlist.
An agent sandbox is meant to let the model run code and tools without endangering the host. Escapes occur when the boundary is too permissive: a container run with excess capabilities or a mounted Docker socket, a filesystem that exposes host paths, network access to internal services, or environment variables carrying cloud credentials. Prompt injection amplifies each of these — the attacker does not need a kernel exploit if the sandbox already grants a path to secrets.
--privileged mode, or excess Linux capabilities.Sandbox escape maps onto OWASP's agentic-AI risks around excessive agency and insecure tool use, and it is catalogued in the CASURA taxonomy of AI-agent vulnerabilities. The practical rule: assume the model inside the sandbox is adversarial, and design the boundary so that even a fully hijacked agent cannot reach the host, secrets, or the internal network.