Update ADK doc according to issue #1587 - 10

[adk-bot]

Add a security note specifying that when uploading or providing YAML agent configurations (e.g., root_agent.yaml), the args key (used in CodeConfig.args or ToolConfig.args) is strictly blocked and will result in an upload error. Explain that this is a security measure to prevent arbitrary Remote Code Execution (RCE).

[netlify]

✅ Deploy Preview for adk-docs-preview ready!

Name	Link
🔨 Latest commit	a1644cb
🔍 Latest deploy log	https://app.netlify.com/projects/adk-docs-preview/deploys/69d80b2005819500084af436
😎 Deploy Preview	https://deploy-preview-1605--adk-docs-preview.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify project configuration.

[jcwriter74]

Already added to the index.md of the Visual Builder

Security measure to prevent arbitrary Remote Code Execution (RCE) (YAML agent configurations)

Human Proposal (Security Note)

What are the args keys?

Agent configurations are often stored in .yaml files (like root_agent.yaml). These files define how an agent behaves, what model it uses, and what tools it can access. These files have “args” as their suffix. Some examples are:

• ToolConfig.args: used to pass specific arguments or initialization parameters to a tool (e.g., a database connection string or a file path).
• CodeConfig.args: used to pass parameters to custom Python scripts or functions that the agent would execute.

ADK Visual Builder

Agent Development Kit (ADK) Visual Builder is an example of possible security risk related with args key config and yaml files.

But why is it blocked?

• If a malicious actor (or a compromised agent configuration) were to upload a YAML file containing args that point to sensitive Python modules (like os or subprocess), they could trick the server into running dangerous commands.
• For instance, they could use args to tell a tool to delete files, steal environment variables (like API keys), or install malware on the host machine.
• Since the Visual Builder is often hosted as a web service or shared environment, allowing arbitrary arguments in uploaded files would make the server vulnerable to anyone who can upload a configuration.

What happens if you use it?

If you try to upload a .yaml file to the Visual Builder that contains the word args as a key:

• Validation Failure: The backend (specifically the FastAPI server handling the build process) performs a strict check.
• Immediate Error: The upload will fail instantly with a ValueError. The system rejects the file entirely to ensure no unsafe parameters ever reach the execution engine.