The only real solution here is a strict egress filtering. The agent can fetch packages (npm/pip) via a proxy, but shouldn't be able to initiate connections to arbitrary IPs. If the agent needs to google, that should be done via the Supervisor, not from within the container. Network isolation is more reliable than content analysis