Simon Willison's MicroPython/WASM Sandboxed Code Execution for AI Agents

Simon Willison published three alpha packages on June 2, 2026, aimed at sandboxed Python execution for AI agents.

• micropython-wasm 0.1a0 bundles a customized WASM build of MicroPython, running it via the Python wasmtime bindings. [1]
• micropython-wasm 0.1a1 followed the same day with bug fixes uncovered during downstream development. [2]
• datasette-agent-micropython 0.1a0 integrates the sandbox into Datasette Agent, so LLM-generated Python runs inside MicroPython/WASM rather than natively. [3]
• Early testing shows GPT-5.5 has not yet broken out of the sandbox. [3]

Letting an LLM execute arbitrary code is useful but risky without reliable isolation. Willison's approach stacks two independent containment layers — MicroPython's restricted Python subset and WebAssembly's memory isolation — and packages both as a pip-installable library, lowering the bar for developers building agent pipelines that need code execution.

Simon Willison released a set of alpha packages on June 2, 2026, aimed at solving a concrete problem in AI agent development: how to let a language model generate and execute Python code without that code escaping into the host environment. The core package, micropython-wasm, bundles a customized WebAssembly build of MicroPython and runs it through the Python wasmtime bindings. By combining MicroPython's limited Python subset with WebAssembly's memory isolation model, the approach stacks two layers of containment that are independent of each other. [1]

The initial 0.1a0 release was followed the same day by a 0.1a1 that patched limitations discovered during development of the companion plugin. [2] That companion plugin, datasette-agent-micropython, hooks into Datasette Agent — Willison's LLM-powered assistant for the Datasette data exploration tool — and routes code-execution requests through the MicroPython/WASM sandbox instead of running them natively. [3] Willison describes the project as a personal experiment and characterizes both packages as alpha-quality, but reports that GPT-5.5 has not yet successfully escaped the sandbox in early testing. [3]

The wider space of WASM-based sandboxing for AI agents includes other projects — a WASM bash shell sandbox for agents appeared on Hacker News [4], and at least one Medium post addresses building LLM code sandboxes with WebAssembly [5] — but these appear in the thread's reactive search results without substantive analysis or direct comparison to Willison's method. The thread so far reflects a single author's framing; no independent commentary, security analysis, or third-party testing has entered the picture.