Good question - and the answer is no, they cannot escape.
nono uses Landlock (Linux) and Seatbelt (macOS) - these are kernel-level security mechanisms. When a sandbox is created:
All child processes inherit the restrictions - if the agent spawns Python, Bash, or compiles and runs a binary, that process is equally sandboxed There is no API to remove or expand the sandbox - once restrict_self() (Landlock) or sandbox_init() (Seatbelt) is called, the restrictions are permanent for that process tree.
I recently got one such contact through telegram with a so called Chinese worker asking to use my upwork account to get jobs and he will pay me a share of what he makes through my account. I had a quick chat with him to know how he got my contact info and it looks like they just scrape every profile on github and upwork and my username on github was thesame as the one on telegram. After sending him a meme of Kim Jun Un and asking him if he works for him he quickly deleted our wholesale conversation.
