Even if the code is sandboxed, it's possible to run outgoing attacks from something like this. The same is of course true of traditional server rentals, EC2, and any other service that gives you an OS instance of your own. The difference, though, is those are (ostensibly) less anonymous.