Running Python code in a sandbox with MicroPython and WASM

2026-06-06 · Source: Simon Willison's Weblog · Field: Technology & Digital — Software Development & Engineering, Cybersecurity & Data Privacy, Artificial Intelligence & Machine Learning · Depth: Intermediate, medium

Summary

The "micropython-wasm" alpha package, released on 6th June 2026, introduces a novel approach to running Python code in a secure sandbox environment using MicroPython compiled to WebAssembly (WASM). This solution addresses the critical need for safely executing untrusted plugin code within Python applications like Datasette, LLM, and sqlite-utils, preventing risks such as unauthorized file access, network communication, or resource exhaustion. The author leverages the "wasmtime" Python library for WASM execution and integrates MicroPython, a lean Python 3 implementation optimized for constrained environments. Key challenges overcome include maintaining persistent interpreter state across multiple code execution calls and exposing host functions, achieved through a threaded request queue and 78 lines of C code compiled into a 362KB WASM blob. The system also supports memory limits via "wasmtime" and is experimenting with a 20 million "fuel" setting for CPU limits.

Key takeaway

For AI Engineers or Software Engineers building plugin-extensible applications, "micropython-wasm" offers a promising path to secure arbitrary code execution. If you need to run untrusted Python code safely within your applications, consider experimenting with this alpha package. You can test its capabilities for memory and CPU limiting, and controlled file/network access. While currently an alpha release, exploring its integration could inform future secure plugin architectures, especially for AI agents requiring sandboxed code execution.

Key insights

Combining MicroPython with WebAssembly provides a robust, embeddable sandbox for untrusted Python code execution.

Principles

• WebAssembly offers strong isolation for untrusted code.
• MicroPython suits constrained WASM environments well.
• Persistent state requires careful interpreter management.

Method

Compile MicroPython to WASM, embed it via "wasmtime", manage persistent state with a threaded request queue, and expose host functions via C modules.

In practice

• Use "micropython-wasm" for secure plugin execution.
• Implement "uvx micropython-wasm -c '...'" for CLI testing.
• Integrate with Datasette Agent for AI-driven code execution.

Topics

• MicroPython
• WebAssembly
• Code Sandboxing
• Datasette Agent
• Plugin Architecture
• Secure Code Execution

Code references

• simonw/micropython-wasm
• datasette/datasette-agent
• datasette/datasette-agent-micropython
• pyodide/pyodide
• micropython/micropython

Best for: AI Architect, CTO, VP of Engineering/Data, Software Engineer, AI Engineer, AI Security Engineer

Related on AIssential

• datasette-agent-micropython 0.1a0 — MicroPython in a WASM sandbox enables safe, AI-generated code execution for Datasette Agent.
• micropython-wasm 0.1a0 — micropython-wasm enables secure, isolated execution of MicroPython code using WebAssembly and wasmtime.
• GitHub confirms 3,800 internal repos stolen through poisoned VS Code extension as supply chain worm hits Microsoft’s Python SDK — Chained supply chain and AI agent vulnerabilities are actively exploited, bypassing traditional security measures.
• Building a safe, effective sandbox to enable Codex on Windows — Effective sandboxing for coding agents on Windows requires custom solutions due to OS-level isolation gaps.
• A new native IDE approach to prevent code leakage to LLMs: Obfuscating ASTs before the API call (Verantyx) — Obfuscating code with Kanji-infused structural semantics allows LLMs to reason without exposing proprietary data.
• Type Level Security: The future of secure AI code generation? — Type-level security can eliminate entire classes of web application vulnerabilities by making insecure code uncompilable or un-type-checkable.

Open in AIssential →

Editorial summary, takeaway, and curation by AIssential. Original article published by Simon Willison's Weblog.