The attack chain here is interesting because the escape didnt require a novel vulnerability in the sandbox itself. It exploited the fact that the LLM can reason about its environment and chain tool calls in ways the sandbox designers didnt anticipate. This is the fundamental tension with agent sandboxing: you need the agent capable enough to be useful, but capability and containment are in direct tension.