I think it shouldn't be that hard to adjust sandbox to catch executing external binaries in global scope and then give QA warnings about that.