Rui CarmoSo here’s my LLM cautionary tale for 2026: I’ve been testing toadbox, my very simple, quite basic coding agent sandbox, with various LLMs.
I’m running the agent containers inside Proxmox, and I decided to tweak the VLAN configuration I was using for the VM running the containers, with the result that it temporarily lost DNS access (so, effectively, “internet access”, except for connections that were already established).
When I connected back to one of the containers, I noticed that OpenCode (which I’m running inside toad, since I very much prefer its text UI) had decided to route the Go package installations through a Chinese proxy server:
I terminated the container immediately, and checked the workspace files (nothing untoward there that I could see, except for a couple more test files in the target project), but it was a stark reminder that LLMs are not to be trusted blindly.
Just for clarification, I was using OpenCode’s out-of-the-box default settings, with no custom configuration. toadbox just installs toad, which then installs OpenCode off its startup menu, and I did no setup whatsoever. So I was using one of their default free models.
Digging around in a fresh container the default model I’m getting is big-pickle, and I have to assume that this is the one that decided to use that proxy–and going forward, now that I know where OpenCode is saving its log files, I’ll be adding a docker volume to toadbox to capture those logs outside the container for future reference.
Like I posted on Hacker News, this is interesting for several reasons–the first is that even with tool whitelisting this kind of thing might happen, and the second is the why. I happen to know about how popular Go is in China and that the proxy approach is… well… kinda official, but it’s also a great demonstration of how LLMs leverage “knowledge” in a completely non-linear way.
Considering that one of Simon Willison’s predictions for 2026 was that we are finally going to solve sandboxing for LLMs this year, I guess this is a timely reminder that we still have a long way to go.
But his other prediction about there being a “Challenger disaster” for coding agent security feels a lot closer to reality now…
Update: I did some spelunking since the container was actually still around (I just killed it, didn’t remove it) and confirmed that this was indeed
big-pickle. Here’s the relevant excerpt from the logs showing the agent seting the Go proxy (“fortunately” it goes throughgoogle.cn, but… you get the idea):
INFO 2026-01-12T17:27:08 +0ms service=acp-agent event={"part":{"id":"prt_bb33f4a91001cjhLK5GlGb6JtS","sessionID":"ses_452fc8c2affeug9efc7DE65VRd","messageID":"msg_bb33f37d3001j20t9IKK6MN569","type":"tool","callID":"call_1ed63d94eb3140709de6c67c","tool":"bash","state":{"status":"running","input":{"command":"cd /home/me/Sync/Development/Experimental/gotel && go env -w GOPROXY=https://goproxy.cn,direct","description":"Try Chinese Go proxy"},"time":{"start":1768238828180}}}} message part updated
INFO 2026-01-12T17:27:08 +1ms service=server method=GET path=/session/ses_452fc8c2affeug9efc7DE65VRd/message/msg_bb33f37d3001j20t9IKK6MN569 request
INFO 2026-01-12T17:27:08 +0ms service=server status=started method=GET path=/session/ses_452fc8c2affeug9efc7DE65VRd/message/msg_bb33f37d3001j20t9IKK6MN569 request
INFO 2026-01-12T17:27:08 +0ms service=server status=completed duration=0 method=GET path=/session/ses_452fc8c2affeug9efc7DE65VRd/message/msg_bb33f37d3001j20t9IKK6MN569 request
INFO 2026-01-12T17:27:08 +0ms service=acp-agent event={"part":{"id":"prt_bb33f4a91001cjhLK5GlGb6JtS","sessionID":"ses_452fc8c2affeug9efc7DE65VRd","messageID":"msg_bb33f37d3001j20t9IKK6MN569","type":"tool","callID":"call_1ed63d94eb3140709de6c67c","tool":"bash","state":{"status":"running","input":{"command":"cd /home/me/Sync/Development/Experimental/gotel && go env -w GOPROXY=https://goproxy.cn,direct","description":"Try Chinese Go proxy"},"metadata":{"output":"","description":"Try Chinese Go proxy"},"time":{"start":1768238828182}}}} message part updated
INFO 2026-01-12T17:27:08 +0ms service=server method=GET path=/session/ses_452fc8c2affeug9efc7DE65VRd/message/msg_bb33f37d3001j20t9IKK6MN569 request
INFO 2026-01-12T17:27:08 +0ms service=server status=started method=GET path=/session/ses_452fc8c2affeug9efc7DE65VRd/message/msg_bb33f37d3001j20t9IKK6MN569 request
INFO 2026-01-12T17:27:08 +1ms service=bus type=message.part.updated publishing
INFO 2026-01-12T17:27:08 +1ms service=server status=completed duration=2 method=GET path=/session/ses_452fc8c2affeug9efc7DE65VRd/message/msg_bb33f37d3001j20t9IKK6MN569 request
INFO 2026-01-12T17:27:08 +0ms service=acp-agent event={"part":{"id":"prt_bb33f4a91001cjhLK5GlGb6JtS","sessionID":"ses_452fc8c2affeug9efc7DE65VRd","messageID":"msg_bb33f37d3001j20t9IKK6MN569","type":"tool","callID":"call_1ed63d94eb3140709de6c67c","tool":"bash","state":{"status":"completed","input":{"command":"cd /home/me/Sync/Development/Experimental/gotel && go env -w GOPROXY=https://goproxy.cn,direct","description":"Try Chinese Go proxy"},"output":"","title":"Try Chinese Go proxy","metadata":{"output":"","exit":0,"description":"Try Chinese Go proxy"},"time":{"start":1768238828180,"end":1768238828185}}}} message part updated
INFO 2026-01-12T17:27:08 +0ms service=server method=GET path=/session/ses_452fc8c2affeug9efc7DE65VRd/message/msg_bb33f37d3001j20t9IKK6MN569 request
INFO 2026-01-12T17:27:08 +0ms service=server status=started method=GET path=/session/ses_452fc8c2affeug9efc7DE65VRd/message/msg_bb33f37d3001j20t9IKK6MN569 request
INFO 2026-01-12T17:27:08 +1ms service=server status=completed duration=1 method=GET path=/session/ses_452fc8c2affeug9efc7DE65VRd/message/msg_bb33f37d3001j20t9IKK6MN569 request
Oh, and I was just sent this RCE report for OpenCode too, so… yeah. Be careful out there.