Seems like a great idea for something to just run inside a chroot jail (or the modern equivalent, a container).