Running Python code in a sandbox with MicroPython and WASM
Simon Willison · Simon Willison · 2026-06-06
Simon Willison releases micropython-wasm, an alpha Python package that executes untrusted Python code inside a MicroPython-in-WebAssembly sandbox with memory and CPU limits, persistent session state, and controlled host function access.
Appears in
Extraction
Topics: python-sandboxingwebassemblymicropythoncode-execution-safetydatasetteai-assisted-programming
Claims
- MicroPython compiled to WebAssembly provides a viable sandbox for running untrusted Python code with enforceable memory and CPU (fuel) limits.
- Pyodide cannot be used server-side as of late 2024, making MicroPython the most practical Python-in-WASM option for embedded server applications.
- Persistent interpreter state across multiple execution calls can be achieved by running MicroPython inside WASM in a thread that blocks on a host-side queue.
- AI coding agents (Codex Desktop and GPT-5.5) generated the core implementation including 78 lines of C bridging host functions to WASM.
- WebAssembly's decade-long browser security track record and active wasmtime Python bindings make it a more reliable sandboxing substrate than V8-in-Python alternatives.
Key quotes
WebAssembly is a much better candidate. It was designed from the start to support all of the characteristics I care about and has been tested in browsers for nearly a decade.
Having complained about immature, loosely-maintained sandboxing libraries, it's deeply ironic that I've now built my own!
I'm hoping this implementation can convince some companies with professional security teams and high-stakes problems to commit to using Python in WebAssembly as a sandboxing approach and open source their own solutions.