Always run in sandboxes. LLMs without any backdoor tools invocations always are notorious in screwing things up like leaking private keys/deleting data. And we are working towards mitigating man in the middle attacks. It's an interesting problem.