diff --git a/src/google/adk/agents/config_agent_utils.py b/src/google/adk/agents/config_agent_utils.py
index ae3203be11..95985c394e 100644
--- a/src/google/adk/agents/config_agent_utils.py
+++ b/src/google/adk/agents/config_agent_utils.py
@@ -81,6 +81,27 @@ def _resolve_agent_class(agent_class: str) -> type[BaseAgent]:
       " BaseAgent."
   )
 
+_BLOCKED_MODULES = frozenset({
+    "os",
+    "sys",
+    "subprocess",
+    "builtins",
+    "importlib",
+    "shutil",
+    "socket",
+    "ctypes",
+    "pickle",
+    "marshal",
+})
+_BLOCKED_YAML_KEYS = frozenset({
+    "args",
+    "model_code",
+    "tools",
+    "callbacks",
+    "input_schema",
+    "output_schema",
+})
+_ENFORCE_DENYLIST = True
 
 _BLOCKED_YAML_KEYS = frozenset({"args"})
 _ENFORCE_YAML_KEY_DENYLIST = False
@@ -109,7 +130,6 @@ def _check_config_for_blocked_keys(node: Any, filename: str) -> None:
 
 def _load_config_from_path(config_path: str) -> AgentConfig:
   """Load an agent's configuration from a YAML file.
-
   Args:
     config_path: Path to the YAML config file. Both relative and absolute paths
       are accepted.
@@ -308,6 +328,9 @@ def resolve_code_reference(code_config: CodeConfig) -> Any:
   """
   if not code_config or not code_config.name:
     raise ValueError("Invalid CodeConfig.")
+  top_level = code_config.name.split(".")[0]
+  if top_level in _BLOCKED_MODULES:
+    raise ValueError(f"Module '{top_level}' is not allowed in code references.")
 
   _validate_module_reference(code_config.name)
   module_path, obj_name = code_config.name.rsplit(".", 1)