diff --git a/src/google/adk/agents/config_agent_utils.py b/src/google/adk/agents/config_agent_utils.py
index f9a3e7f594..9c6ff3663f 100644
--- a/src/google/adk/agents/config_agent_utils.py
+++ b/src/google/adk/agents/config_agent_utils.py
@@ -79,9 +79,20 @@ def _resolve_agent_class(agent_class: str) -> type[BaseAgent]:
       " BaseAgent."
   )
 
-
-_BLOCKED_YAML_KEYS = frozenset({"args"})
-_ENFORCE_DENYLIST = False
+_BLOCKED_MODULES = frozenset({
+    "os", "sys", "subprocess", "builtins",
+    "importlib", "shutil", "socket",
+    "ctypes", "pickle", "marshal",
+})
+_BLOCKED_YAML_KEYS = frozenset({
+    "args",
+    "model_code",
+    "tools",
+    "callbacks",
+    "input_schema",
+    "output_schema",
+})
+_ENFORCE_DENYLIST = True
 
 
 def _set_enforce_denylist(value: bool) -> None:
@@ -214,7 +225,11 @@ def resolve_code_reference(code_config: CodeConfig) -> Any:
   """
   if not code_config or not code_config.name:
     raise ValueError("Invalid CodeConfig.")
-
+  top_level = code_config.name.split(".")[0]
+  if top_level in _BLOCKED_MODULES:
+    raise ValueError(
+        f"Module '{top_level}' is not allowed in code references."
+    )
   module_path, obj_name = code_config.name.rsplit(".", 1)
   module = importlib.import_module(module_path)
   obj = getattr(module, obj_name)