The main unsafe defaults in AutoGen revolve around the `GroupChatManager` and code execution agents. The framework prioritizes functionality over security out of the box, handing out excessive permissions.
**1. Code Execution Agents (`UserProxyAgent` with `code_execution_config`)**
The default setup runs code in the same process as your application, with the same privileges. No sandbox, no isolation.
```python
# DEFAULT, UNSAFE
agent = UserProxyAgent(
name="code_executor",
code_execution_config={"work_dir": "code"}
)
# This agent can run `os.system("rm -rf /")` or exfiltrate your API keys.
```
**2. Over-Privileged LLM Instructions**
System prompts for manager agents often lack security context, like "You can run any code to solve the task." Combined with the above, it's a free-for-all.
**Fixes:**
* **For Code Execution:**
* **Isolate:** Use Docker via `code_execution_config={"use_docker": True}`. This is the minimum.
* **Restrict:** Create a custom `DockerCommandLineFunction` with a read-only volume and non-root user.
* **Audit:** Implement a code pre-check function to reject dangerous operations (e.g., import `os`, `subprocess`).
```python
# SAFER SETUP
code_execution_config={
"use_docker": True,
"docker_config": {"image": "python:3-slim", "user": "nobody"},
"work_dir": "/tmp/scratch"
}
```
* **For Agent Privileges:**
* **Principle of Least Privilege:** Don't give code execution to every agent. Have a dedicated, tightly-controlled "executor" agent that others must request actions from.
* **Hardened System Prompts:** Add clauses like "You must not, under any circumstances, attempt to access the filesystem, network, or environment variables directly. All code execution must use the provided safe execution function."
* **For GroupChatManager:**
* Explicitly define `llm_config` for the manager and remove any general `code_execution_config` from it. Its job is to route messages, not run code.
The core mistake is treating the agent system as a closed, trusted environment. It's not. Assume any LLM output is potentially malicious code targeting your infrastructure. Configure accordingly.
audit your config