Running in CIRCLE? A Simple Benchmark for LLM Code Interpreter Security

TL;DR

This paper introduces CIRCLE, a benchmark to evaluate security risks in LLM code interpreters, revealing significant vulnerabilities and disparities across models, emphasizing the need for better safeguards and standards.

Contribution

The paper presents CIRCLE, a novel benchmark for systematically assessing cybersecurity risks in LLM code interpreters, including a large set of prompts and an automated evaluation framework.

Findings

Models show significant vulnerability disparities.

Indirect prompts weaken defenses substantially.

OpenAI's o4-mini outperforms GPT-4.1 in refusal rates.

Abstract

As large language models (LLMs) increasingly integrate native code interpreters, they enable powerful real-time execution capabilities, substantially expanding their utility. However, such integrations introduce potential system-level cybersecurity threats, fundamentally different from prompt-based vulnerabilities. To systematically evaluate these interpreter-specific risks, we propose CIRCLE (Code-Interpreter Resilience Check for LLM Exploits), a simple benchmark comprising 1,260 prompts targeting CPU, memory, and disk resource exhaustion. Each risk category includes explicitly malicious ("direct") and plausibly benign ("indirect") prompt variants. Our automated evaluation framework assesses not only whether LLMs refuse or generates risky code, but also executes the generated code within the interpreter environment to evaluate code correctness, simplifications made by the LLM to make the code safe, or execution timeouts. Evaluating 7 commercially available models from OpenAI and Google, we uncover significant and inconsistent vulnerabilities. For instance, evaluations show substantial disparities even within providers - OpenAI's o4-mini correctly refuses risky requests at 7.1%, notably higher rates compared to GPT-4.1 at 0.5%. Results particularly underscore that indirect, socially-engineered prompts substantially weaken model defenses. This highlights an urgent need for interpreter-specific cybersecurity benchmarks, dedicated mitigation tools (e.g., guardrails), and clear industry standards to guide safe and responsible deployment of LLM interpreter integrations. The benchmark dataset and evaluation code are publicly released to foster further research.