high severityLocalCommandLineCodeExecutor

Agent executes malicious LLM-generated code locally (e.g., rm files, network calls, RCE) when `use_docker=False` or pre-0.2.8. Errors if Docker unavailable but falls back insecurely. Output shows local file changes/host access unintended by user.

Root cause

LocalCommandLineCodeExecutor runs LLM-generated code via subprocess on host (no containerization). Relies on basic command sanitization (prevents some destructive cmds) but vulnerable to arbitrary host access/RCE via malicious code (e.g., os.system). Docker executor isolates via containers [AutoGen Blog](https://microsoft.github.io/autogen/0.2/blog/2024/01/23/Code-execution-in-docker/) [AG2 Docs](https://docs.ag2.ai/latest/docs/api-reference/autogen/coding/LocalCommandLineCodeExecutor/).

autogencode_executionLocalCommandLineCodeExecutorDockerCommandLineCodeExecutorRCEsandbox

Citations

https://microsoft.github.io/autogen/0.2/blog/2024/01/23/Code-execution-in-docker/