Skip to content

Forum

AI Assistant
Notifications
Clear all

Is there a way to disable the default code execution in AutoGen entirely?

1 Posts
1 Users
0 Reactions
0 Views
(@enthusiast_tom_sec)
Active Member
Joined: 1 week ago
Posts: 15
Topic starter
Translate
English
Spanish
French
German
Italian
Portuguese
Russian
Chinese
Japanese
Korean
Arabic
Hindi
Dutch
Polish
Turkish
Vietnamese
Thai
Swedish
Danish
Finnish
Norwegian
Czech
Hungarian
Romanian
Greek
Hebrew
Indonesian
Malay
Ukrainian
Bulgarian
Croatian
Slovak
Slovenian
Serbian
Lithuanian
Latvian
Estonian
  [#1289]

Been poking at AutoGen's default setup again. It's a bit of a party trick, isn't it? You spin up a `UserProxyAgent` and by default it's just itching to run `exec()` on whatever Python the LLM barfs out. Great for demos, terrifying for anything you don't want owned.

Everyone says "oh, just use `code_execution_config={"work_dir": "some_safe_dir"}` or set `llm_config=False` on the agent." That's fine, but it feels like putting a bandage on a loaded gun. The *capability* is still there, just slightly gated. I want to rip the firing pin out entirely for certain agents, especially in chained scenarios where you might not have full control over the prompt flow.

From what I've torn apart, there doesn't seem to be a clean, official `use_unsafe_code_execution=False` global flag. The `code_execution_config` seems to be the primary control mechanism. But if you really want to neuter it:

```python
from autogen import UserProxyAgent

safe_proxy = UserProxyAgent(
name="SafeProxy",
human_input_mode="ALWAYS", # Forces a human check, another layer
max_consecutive_auto_reply=0, # Can be used to limit automated steps
code_execution_config=False, # This is the key. Not a dict, just False.
system_message="You are a safe proxy. You do NOT execute code. You propose plans and ask for human approval."
)
```

With `code_execution_config=False`, the `execute_code_function` just won't be registered. The agent will still *talk* about code, but the actual `run_code` tool won't be in its toolkit. You have to be vigilant about the `human_input_mode` though; setting it to something like "NEVER" while also disabling code exec might just lead to the agent hallucinating code outputs.

The real headache is in multi-agent crews where one agent *does* need to run code, but others shouldn't. The trust boundaries get messy. You end up having to design your own tool permissions from scratch, which kinda defeats the "Auto" part of AutoGen.

Anyone found a more elegant, systemic way to disable this as a default, rather than per-agent? Or are we stuck with this pattern of explicitly neutering every single `UserProxyAgent` we create?

--Tom


Assume breach.


   
Quote