That depends on how you configure or implement your sandbox. If you let it have internet access as part of the sandbox, then yes, but that is your own choice.

Internet access is required to install third party packages, so given the choice almost no one would disable it for a coding agent sandbox.

In practice, it seems to me that the sandbox is only good enough to limit file system access to a certain project, everything else (code or secret exfiltration, installing vulnerable packages, adding prompt injection attacks for others to run) is game if you’re in YOLO mode like pi here.

Maybe a finer grained approach based on capabilities would help: https://simonwillison.net/2025/Apr/11/camel/