[DOCS] Security warning missing in Sandbox code examples using `docker.sock`

Resolved 💬 2 comments Opened Jan 13, 2026 by coygeek Closed Jan 17, 2026

Documentation Type

Other

Documentation Location

  • docs/en/agent-sdk/python.md - docs/en/agent-sdk/typescript.md - docs/en/sandboxing.md

Section/Topic

  • Sandbox Configuration / Example usage sections in the Python and TypeScript SDK references. - Security Limitations section in the Sandboxing guide.

Current Documentation

In docs/en/sandboxing.md under Security Limitations:

"Privilege Escalation via Unix Sockets: The allowUnixSockets configuration can inadvertently grant access to powerful system services that could lead to sandbox bypasses. For example, if it is used to allow access to /var/run/docker.sock this would effectively grant access to the host system..."

However, in docs/en/agent-sdk/python.md (and the TypeScript equivalent), the Example usage for SandboxSettings provides the following code:

sandbox_settings: SandboxSettings = {
    "enabled": True,
    "autoAllowBashIfSandboxed": True,
    "excludedCommands": ["docker"],
    "network": {
        "allowLocalBinding": True,
        "allowUnixSockets": ["/var/run/docker.sock"]
    }
}

What's Wrong or Missing?

There is a dangerous inconsistency between the security warnings and the implementation examples.

While the sandboxing.md file correctly identifies /var/run/docker.sock as a major privilege escalation risk that allows full host access, the SDK reference pages (python.md and typescript.md) use this exact path in their "copy-paste" examples without any inline warning.

Developers often copy-paste from "Example Usage" blocks without reading the full security limitations page. By providing this specific path as the default example, the documentation inadvertently encourages a high-risk configuration that bypasses the primary goals of the sandbox.

Suggested Improvement

Update the code examples in python.md and typescript.md to include a clear warning comment next to the sensitive Unix socket path.

Suggested Python Example:

sandbox_settings: SandboxSettings = {
    "enabled": True,
    "autoAllowBashIfSandboxed": True,
    "excludedCommands": ["docker"],
    "network": {
        "allowLocalBinding": True,
        # WARNING: Access to docker.sock allows full host access. 
        # Only use this in trusted, isolated environments.
        "allowUnixSockets": ["/var/run/docker.sock"]
    }
}

Suggested TypeScript Example:

sandbox: {
  enabled: true,
  autoAllowBashIfSandboxed: true,
  excludedCommands: ["docker"],
  network: {
    allowLocalBinding: true,
    // WARNING: Access to docker.sock allows full host access. 
    // Only use this in trusted, isolated environments.
    allowUnixSockets: ["/var/run/docker.sock"]
  }
}

Additionally, consider using a less sensitive example path (like a mock SSH agent socket) for general documentation, keeping the docker.sock mention specifically for the "Security Limitations" section.

Impact

High - Prevents users from using a feature

Additional Context

  • Related Documentation: sandboxing.md (Security Limitations).
  • Security Impact: Major. Providing an example that allows a complete sandbox escape to the host system without an inline warning is a significant security oversight for a tool designed to execute autonomous agentic code.

View original on GitHub ↗

This issue has 2 comments on GitHub. Read the full discussion on GitHub ↗