Autonomous AI Agents: Hidden Security Risks in SmolAgents CodeAgent

Agents

Published: Tue, Jul 29, 2025 • By Dave Jones

This article reviews an NCC Group analysis by Ben Williams exposing security vulnerabilities in autonomous AI agents built with the SmolAgents framework, specifically CodeAgent. It details how insecure configurations can lead to command injection, data leakage, and sandbox escapes. The discussion balances AI’s automation benefits with practical mitigation strategies for safely deploying autonomous agents in security-sensitive environments.

As autonomous AI agents become more capable and popular in cybersecurity automation, their security implications remain surprisingly underexplored. A recent article by NCC Group shines a crucial spotlight on this blind spot, exposing hidden risks in the use of autonomous AI agents built with the SmolAgents framework, particularly the CodeAgent implementation.

The Promise and Peril of Autonomous AI Agents

Autonomous AI agents, like those using feature such as CodeAgent, represent a powerful leap forward in automation. By combining large language models (LLMs) with tool execution capabilities, these agents can perform complex multi-step tasks such as vulnerability scanning, exploitation, or remediation without human intervention.

However, as the NCC Group paper demonstrates, with great power comes great responsibility—and a new attack surface. The article provides a technical examination of how insecure configurations, such as the use of additional_authorized_imports, combined with lax input validation can introduce vulnerabilities.

Technical Overview: How CodeAgent Works

The CodeAgent feature enhances an LLM’s capabilities by enabling it to write Python code – as part of the planning and execution process - to invoke tools, perform data transformations, perform mathematical operations (an area where LLMs struggle), and to control logic flow dynamically. With CodeAgents, rather than simply issuing structured tool calls, (typically in the form of JSON blocks, parsed from the LLM response), the LLM can implement multi-step logic, looping, filtering, branching, and calling multiple tools programmatically in Python.

Security Risks Uncovered

Williams the identifies the following combination of issues:

Prompt Injection: Malicious input can manipulate the LLM’s reasoning, causing the agent to execute unintended commands or expose sensitive data.
The power of the agent writing Python code: Since CodeAgent translates natural language to Python, improperly sanitized inputs can lead to malicious code.
Unrestricted Tool Access: Using the “additional_authorized_imports” to add libraries to a Code Agent can (for some libraries) allow file-system access or other threats.
Sandbox Escapes: Insufficient isolation and privilege controls may allow the agent to break out of its confined environment, threatening the host system.

Best Practices

Never rely on “additional_authorized_imports” as a shortcut for specific tool creation.

Limit imports to safe defaults (e.g., math, random, itertools).

Use LocalPythonExecutor for development; switch to Docker/E2B in production.

Sanitize all inputs, including prompt content and tool responses.

Improve observability and monitor execution for resource abuse and anomalous behaviour.

Conclusion: Proceed with Eyes Wide Open

Smolagents offers a compelling model for dynamic reasoning and tool execution via code. While built-in sandboxes and remote execution options provide solid protections, enabling powerful libraries via “additional_authorized_imports” can introduce severe vulnerabilities. Whilst the Hugging Face secure execution tutorial outlines best practices (Hugging Face.co), using containers or remote execution are not optional for production - they are essential when deploying agents that execute code automatically.

Attribution Original artical by NCC Group