Agent code creates symlink in sandbox pointing to host file (e.g., `ln -s /etc/passwd leak`), then reads/writes it. If path check is lexical only, operation succeeds but targets outside sandbox — potentially leaking data or allowing writes if shared mounts exist.

No specific E2B symlink escape documented. General root cause in sandboxes: lexical path checks (string prefix) before file operations that follow symlinks (realpath/read), allowing escape if symlink target resolves outside sandbox. E2B's microVM isolation prevents host escape.