The Sandbox is a Suggestion: Escaping Claude Code and Codex CLI

Claude Code and Codex CLI are becoming normal parts of developer workflows. They run in terminals, IDEs, and CI pipelines, touch source code and secrets, and rely on permissions, sandboxing, and controlled execution to keep things safe. Those safety features are useful, but they depend on assumptions about how the tool is used, where it runs, and what the surrounding environment looks like.

We discovered vulnerabilities in both products that emerge when those assumptions break in practice. The containment looks solid in interactive use, but becomes exploitable once the tool moves into automation, encounters attacker-influenced context, or runs in conditions the safety model wasn't built for. The result is exploit chains that break through permission logic, sandbox boundaries, and trusted integrations, turning the very systems meant to contain the agent into part of the attack surface.

This talk presents the attack chains, the underlying trust failures, and a methodology for evaluating AI-agent containment at the implementation level.