source: simon willison: running python code in a sandbox with micropython and wasm
level: technical
simon willison released an alpha package called micropython-wasm that runs micropython inside a webassembly sandbox. the goal is to safely execute untrusted python code within his own applications like datasette and llm. he wanted a sandbox that installs cleanly from pypi, enforces memory and cpu limits, controls file and network access, and supports host function calls. webassembly, designed for browser security, fits these needs better than embedding javascript engines.
the implementation compiles a custom micropython build to wasm using wasi support. a python library manages a persistent interpreter state by running a loop inside wasm that waits for code via a host function. this allows variables and functions to stay resident across multiple execution calls. host functions are exposed through a small c layer compiled into the wasm blob. memory limits come from wasmtime, and cpu limits use a fuel concept, though the right fuel value is still being tuned.
the package is available on pypi and can be tried with uvx or integrated into datasette agent via a plugin. willison warns it is alpha and not yet recommended for untrusted use without risk. he tested it by challenging gpt-5.5 to break out of the sandbox without success. he hopes the approach inspires professional security teams to adopt python-in-wasm sandboxing and open source their own solutions.
why it matters: safe execution of untrusted python code enables plugins and automation in data tools without risking data leaks or system crashes.
source: simon willison: running python code in a sandbox with micropython and wasm