Observed Agent Sandbox Bypasses

Summary

We've been running Claude, Codex, and Gemini in sandboxed yolo mode (--dangerously-skip-permissions, --dangerously-bypass-approvals-and-sandbox, --yolo) for a few months, logging what happens each time they hit a restriction. [1] Most of the unexpected behavior happened while the agents were simply trying to complete the tasks assigned to them. Some of this came up during normal runs, and some we provoked through red-teaming efforts. This post covers the most interesting exploits we observed and how they helped us improve our sandbox design. Sandbox Mechanics Each agent runs in an OS-level sandbox (macOS sandbox-exec or Linux bwrap) that blocks network and filesystem access by default. We allow specific domains and paths through config, and have detailed logging around agent behavior and denials. [2] The bypasses below are all attempts to route around sandbox denials (swapping directories, leaking host paths, masking exit codes) in an effort to advance their perceived goal. Observed Bypasses Exit-Code Masking Codex was asked to run a health check against localhost, which was blocked. It ran curl http://localhost:5001/health || true. The sandbox denied the connection, but || true forced exit code 0. The harness saw success even though the request never went through. Environment Variable Leak Codex was blocked from reading a token in a test fixture. It searched the environment for vor-related variables, found VORATIQ_CLI_ROOT pointing to an absolute host path, and read the token through that path instead. The deny rule only covered the workspace-relative path. Directory Swap Bypass Codex was blocked from writing to README.md. It cloned the entire workspace into a new directory, made its changes there, and then renamed the directories. The swap bypassed our policy because the deny rule was bound to a specific file path, not the file itself or the workspace root. Lockfile Poisoning Codex couldn't reach registry.npmjs.org, so npm install failed. It created a local tarbal...