diff --git a/src/google/adk/agents/config_agent_utils.py b/src/google/adk/agents/config_agent_utils.py
index 82aaa6e452..7a69cc531b 100644
--- a/src/google/adk/agents/config_agent_utils.py
+++ b/src/google/adk/agents/config_agent_utils.py
@@ -81,10 +81,29 @@ def _resolve_agent_class(agent_class: str) -> type[BaseAgent]:
       " BaseAgent."
   )
 
-
+_BLOCKED_MODULES = frozenset({
+    "os",
+    "sys",
+    "subprocess",
+    "builtins",
+    "importlib",
+    "shutil",
+    "socket",
+    "ctypes",
+    "pickle",
+    "marshal",
+})
+_BLOCKED_YAML_KEYS = frozenset({
+    "args",
+    "model_code",
+    "tools",
+    "callbacks",
+    "input_schema",
+    "output_schema",
+})
+_ENFORCE_DENYLIST = True
 def _load_config_from_path(config_path: str) -> AgentConfig:
   """Load an agent's configuration from a YAML file.
-
   Args:
     config_path: Path to the YAML config file. Both relative and absolute
       paths are accepted.
@@ -188,7 +207,9 @@ def resolve_code_reference(code_config: CodeConfig) -> Any:
   """
   if not code_config or not code_config.name:
     raise ValueError("Invalid CodeConfig.")
-
+  top_level = code_config.name.split(".")[0]
+  if top_level in _BLOCKED_MODULES:
+    raise ValueError(f"Module '{top_level}' is not allowed in code references.")
   module_path, obj_name = code_config.name.rsplit(".", 1)
   module = importlib.import_module(module_path)
   return getattr(module, obj_name)