The Calculator tool in gemma/gm/tools/_calculator.py currently uses eval(expression, _OPS) to evaluate mathematical expressions, which creates a code injection vulnerability (CWE-94). While the implementation attempts to restrict available operations through the _OPS dictionary, this approach is insufficient because Python's eval() still retains access to built-in functions through various introspection techniques. An attacker could potentially bypass the namespace restrictions using methods like object introspection or method resolution order manipulation to access dangerous built-ins like __import__, exec, or compile, leading to arbitrary code execution.

The core issue is that the second parameter to eval() only restricts the global namespace but doesn't isolate the execution environment from Python's built-in functions. This means that even with a carefully curated _OPS dictionary, the calculator remains vulnerable to sophisticated attacks that leverage Python's dynamic nature to break out of the sandbox. Any system that processes untrusted mathematical expressions through this calculator is at risk of remote code execution, making this a critical security concern for production deployments.

I have developed a comprehensive fix that hardens the eval() environment by explicitly blocking access to all built-in functions while maintaining full mathematical functionality. The solution includes proper error handling and has been tested against both legitimate mathematical operations and malicious payloads. I'm submitting a pull request immediately after this issue that implements these security enhancements while preserving backward compatibility with all existing mathematical operations.

I have also attached screenshots that show the vulnerability and the testing process.