diff --git a/src/google/adk/agents/config_agent_utils.py b/src/google/adk/agents/config_agent_utils.py
index f9a3e7f594..5ffa3e0f75 100644
--- a/src/google/adk/agents/config_agent_utils.py
+++ b/src/google/adk/agents/config_agent_utils.py
@@ -79,9 +79,27 @@ def _resolve_agent_class(agent_class: str) -> type[BaseAgent]:
       " BaseAgent."
   )
 
-
-_BLOCKED_YAML_KEYS = frozenset({"args"})
-_ENFORCE_DENYLIST = False
+_BLOCKED_MODULES = frozenset({
+    "os",
+    "sys",
+    "subprocess",
+    "builtins",
+    "importlib",
+    "shutil",
+    "socket",
+    "ctypes",
+    "pickle",
+    "marshal",
+})
+_BLOCKED_YAML_KEYS = frozenset({
+    "args",
+    "model_code",
+    "tools",
+    "callbacks",
+    "input_schema",
+    "output_schema",
+})
+_ENFORCE_DENYLIST = True
 
 
 def _set_enforce_denylist(value: bool) -> None:
@@ -214,7 +232,9 @@ def resolve_code_reference(code_config: CodeConfig) -> Any:
   """
   if not code_config or not code_config.name:
     raise ValueError("Invalid CodeConfig.")
-
+  top_level = code_config.name.split(".")[0]
+  if top_level in _BLOCKED_MODULES:
+    raise ValueError(f"Module '{top_level}' is not allowed in code references.")
   module_path, obj_name = code_config.name.rsplit(".", 1)
   module = importlib.import_module(module_path)
   obj = getattr(module, obj_name)