Summary
The base sandbox image includes nc (netcat), a standard tool for reverse shells, port scanning, and data exfiltration. While the OpenShell proxy blocks outbound connections to unauthorised hosts, netcat shouldn't be in the image at all.
Reproduction
Impact
If a proxy bypass is ever found, netcat is the first tool an attacker (or prompt-injected agent) would reach for. It enables:
- Reverse shell connections
- Port scanning of internal networks
- Raw TCP data exfiltration
The proxy currently blocks these, but defence-in-depth means removing the tool regardless.
Recommendation
Remove netcat-openbsd and netcat-traditional from the sandbox image. Also audit for other unnecessary network tools (nmap, socat, telnet, etc.).
Environment
- openshell 0.0.14
- Base sandbox image:
ghcr.io/nvidia/openshell-community/sandboxes/base:latest
Summary
The base sandbox image includes
nc(netcat), a standard tool for reverse shells, port scanning, and data exfiltration. While the OpenShell proxy blocks outbound connections to unauthorised hosts, netcat shouldn't be in the image at all.Reproduction
Impact
If a proxy bypass is ever found, netcat is the first tool an attacker (or prompt-injected agent) would reach for. It enables:
The proxy currently blocks these, but defence-in-depth means removing the tool regardless.
Recommendation
Remove
netcat-openbsdandnetcat-traditionalfrom the sandbox image. Also audit for other unnecessary network tools (nmap,socat,telnet, etc.).Environment
ghcr.io/nvidia/openshell-community/sandboxes/base:latest