Describe how AutoGen's local code-execution flow works (which agent emits code, which agent runs it, where the output goes) and explain the production sandboxing risk that the default `code_execution_config` introduces.
AssistantAgent writes a fenced code block; UserProxyAgent parses it and runs it locally by default. Unsandboxed execution that prompt injection can hijack.
Picture two people sitting at a desk. The first person writes recipes on sticky notes and hands them across. The second person reads each note and immediately cooks whatever it says in your kitchen, using your knives and your stove. As long as the first person only writes recipes you would actually want to eat, life is fine. But if a stranger slips a fake note into the pile, the second person still cooks it, because they trust everything that arrives from the other side of the desk. The fix is to give the second person a tiny camping kitchen in a sealed tent. Anything they cook stays in the tent, gets thrown out at the end, and never touches your real kitchen.
Detailed answer & concept explanation~6 min readEverything you need to truly understand this topic: intuition, mechanics, step by step explanation, code, formulas, and worked example. Click to expand.
Everything you need to truly understand this topic: intuition, mechanics, step by step explanation, code, formulas, and worked example. Click to expand.
Everything you need to truly understand this topic: intuition, mechanics, step by step explanation, code, formulas, and worked example.
Everything important, quickly.
6 minutes: the two-agent loop, the default executor risk, the Docker executor mitigation, and the wider trust-boundary lesson.
from autogen import AssistantAgent, UserProxyAgent
from autogen.coding import DockerCommandLineCodeExecutor
assistant = AssistantAgent(name='coder', llm_config={'model': 'gpt-4o'})
executor = DockerCommandLineCodeExecutor(
image='python:3.12-slim',
timeout=60,
work_dir='/sandbox',
)
proxy = UserProxyAgent(
name='runner',
human_input_mode='NEVER',
code_execution_config={'executor': executor},
)
proxy.initiate_chat(assistant, message='Plot the FFT of a noisy sine and save to out.png')Real products, models, and research that use this idea.
- Microsoft's AutoGen 0.4 documentation lists DockerCommandLineCodeExecutor as the recommended production executor.
- OpenAI Code Interpreter ships a per-session disposable container with no internet by default. The exact pattern AutoGen reproduces with the Docker executor.
- Anthropic Claude's computer-use beta sandboxes every action behind an explicit virtual machine boundary for the same reason.
- E2B and Modal both sell hosted sandboxes that drop into AutoGen as alternative executors, used by teams that do not want to operate Docker themselves.
What an interviewer would ask next. Try answering before peeking at the approach.
QHow would you architect the executor so a successful sandbox escape still does not compromise customer data?
QWhat guardrails would you add upstream of the executor, before code reaches it?
Don't say thisRed flags and common mistakes that signal junior thinking. Click to expand.
Red flags and common mistakes that signal junior thinking. Click to expand.
Leaving the default `code_execution_config` on in production because the demo notebook worked. Handing the model shell access to the host.
The night-before-the-interview bullets. Scan these on the way to the call.
Primary sources. Skim if you want the original framing.
Same topic, related formats. Practice these next.