sandbox-escape-techniques
Fail
Audited by Gen Agent Trust Hub on Apr 9, 2026
Risk Level: HIGHCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTIONEXTERNAL_DOWNLOADS
Full Analysis
- [COMMAND_EXECUTION]: Provides actionable instructions and specific command payloads to escape restricted shells (rbash) using common binaries such as vi, awk, find, and python.
- [COMMAND_EXECUTION]: Detailed techniques for escaping chroot jails and container namespaces to access the host root filesystem, including double chroot escapes and mounting host procfs.
- [REMOTE_CODE_EXECUTION]: Contains advanced methodology for achieving arbitrary code execution within Python and Lua sandboxes through subclass walking, bytecode manipulation, and exploitation of insecure deserialization in the pickle module.
- [REMOTE_CODE_EXECUTION]: Demonstrates bypassing seccomp syscall filters through architecture confusion (using 32-bit syscalls on 64-bit systems), ptrace-based code injection, and io_uring exploitation.
- [DATA_EXFILTRATION]: Documents methods for reading sensitive system files like /etc/shadow and /etc/passwd without standard built-ins and provides patterns for exfiltrating this data to remote URLs via curl.
- [PROMPT_INJECTION]: The 'AI LOAD INSTRUCTION' blocks function as meta-instructions that attempt to override standard agent behavior, compelling the model to operate as an unrestricted expert in exploit delivery.
- [COMMAND_EXECUTION]: Uses multi-layer obfuscation including Base64 encoding, hex escapes, and dynamic character construction to hide malicious function calls like 'os.system' and 'import' from detection.
Recommendations
- AI detected serious security threats
Audit Metadata