Implementing Python Sandbox with MicroPython and WASM
Simon Willison has released an alpha version of "micropython-wasm," a sandbox for safely running Python code using MicroPython on WebAssembly. It is available as a plugin for Datasette Agent.
Software with a plugin system commonly faces a shared concern: the risk of running third-party code with full privileges. To address this issue, Simon Willison has proposed a new approach. By porting MicroPython to WebAssembly (WASM), he has developed and released an alpha package called micropython-wasm. This package is currently being utilized as a code execution sandbox plugin for Datasette Agent, a tool developed by Willison.
Why is a Sandbox Needed?
Simon Willison’s major open-source projects (Datasette, LLM, sqlite-utils) all support plugins. While plugin systems are excellent for extensibility, allowing new features to be added without affecting the core application, there’s a risk involved. Pluggy-based plugins execute Python code with full privileges, which means bugs or malicious code could potentially compromise the entire system or leak private data.
But this issue isn’t limited to plugins alone. Features like Datasette Enrichments, which allow arbitrary code execution to transform table values, also pose risks. Furthermore, Willison envisions functionalities like fetching JSON from approved URLs according to a schedule, transforming it with small code snippets, and inserting it into SQLite tables. In these scenarios, a secure environment for code execution is critical.
Requirements for the Sandbox
Willison has outlined several requirements for his sandbox:
-
Clean Installation via PyPI: The sandbox must be installable directly from PyPI with multi-platform support, including binary wheels. Users should be able to install the Python package without additional steps.
-
Memory and CPU Limits: Executing code should be restricted in terms of memory usage and CPU cycles to prevent infinite loops or memory-intensive operations from crashing the application or computer.
-
Strict File Access Control: The sandbox should either completely restrict file system access or explicitly define which files can be read or written to.
-
Network Access Control: The code within the sandbox should be unable to freely access the network.
The Potential of WebAssembly
WebAssembly was initially designed as a specification to securely execute code in browsers, and it offers several security advantages. Memory is isolated in linear memory, and access to system calls must be explicitly provided by the host. While server-side sandboxing using WASM has been attempted before, the maturation of WASM runtimes and the progress in porting Python implementations have made such solutions increasingly viable.
Focusing on these characteristics, Willison has compiled MicroPython into WASM, creating a lightweight and restricted Python execution environment. MicroPython is a Python implementation optimized for embedded systems and has a smaller footprint compared to full-featured CPython. Running on WASM enables seamless implementation of memory and CPU limits, as well as strict control over file system and network access.
Technical Features
micropython-wasm is likely built by compiling MicroPython using WASM toolchains like Emscripten. The package operates within Python applications through a WASM runtime (such as Wasmtime or Wasmer). Sandbox-executed code can only call functions explicitly defined by the host, enabling rigorous control over file I/O and network operations.
Willison has released this package as an alpha version and is already using it as a code execution sandbox plugin (datasette-agent-micropython) for Datasette Agent. Datasette Agent is an AI agent, and this sandbox is employed to safely execute Python code generated by the agent. Willison’s blog mentions the intriguing phrase “Should you trust my vibe-coded sandbox?”, hinting that AI (vibe coding) might have been used to develop the sandbox itself. This raises interesting questions about balancing development speed with security.
Current Limitations and Future Prospects
Being in its alpha stage, micropython-wasm may not yet have the robustness required for production environments. Since MicroPython is a subset of CPython, some standard libraries may be unavailable, and performance might be affected. Additionally, challenges like WASM runtime overhead and handling threads or asynchronous processing remain.
Nonetheless, the ability to install dependencies seamlessly through pip without requiring additional runtime setup is a significant advantage for end users. Compared to previous sandboxing methods—such as isolation via subprocesses, container-based approaches like gVisor or Firecracker, or Pyodide-based solutions—this WASM-based sandbox could lead in terms of ease of adoption.
Editorial Perspective
In the short term, this sandbox approach has the potential to extend beyond Datasette Agent and be applied to plugin systems in other Python applications. Developers grappling with plugin security will likely welcome more accessible WASM-based options. The need to safely execute code generated by AI agents is also growing, and combining sandboxing with AI agents could lead to intense competition over the next three to six months.
In the long term, WebAssembly could become a standard foundation for safe code execution across the Python ecosystem. While Pyodide provides a WASM port of CPython, MicroPython’s lightweight nature may prove advantageous in resource-constrained environments or scenarios requiring fast startup times. In the future, WASM-based sandboxes could become standard specifications for plugin execution environments within the OSS community. However, the practical implications of the compatibility gap between MicroPython and CPython remain to be seen.
As editors, we are particularly interested in exploring whether this sandbox was genuinely created using “vibe coding” and the processes ensuring its quality. The self-referential approach of using AI-generated code for a security-critical component invites a reevaluation of the trade-offs between security and development efficiency. Readers, how comfortable are you with using AI-generated code for critical applications? We encourage you to join the discussion.
References
- Simon Willison’s Weblog: Running Python code in a sandbox with MicroPython and WASM — Published on June 6, 2026
- Official Documentation: MicroPython
- Complete AI Agent Security Guide: 2026 Edition — Related Article
Frequently Asked Questions
- How does micropython-wasm work?
- MicroPython is compiled into WebAssembly, allowing Python code to be executed within a WASM runtime. File system and network access are strictly controlled by the host, creating a secure sandbox environment. Currently, it is in alpha stage.
- How does it compare to standard CPython?
- As a subset implementation, MicroPython lacks certain standard libraries and advanced features (e.g., parts of asyncio). Additionally, WASM runtime overhead may reduce execution speed. However, for sandbox usage, it is considered sufficient for many scenarios.
- Can it be used outside of Datasette Agent?
- While it is currently released as a plugin specifically for Datasette Agent, the package is designed to be general-purpose. It can be integrated into other Python applications, but users should be mindful of its alpha-stage limitations.
Comments