The Information Machine

Simon Willison's AI-Augmented Datasette Ecosystem: Agent, Apps, and Plugins

open · v1 · 2026-06-19 · 37 items

What

Simon Willison is building a cluster of AI-native plugins for Datasette, his open-source SQLite data tool. The active components as of mid-June 2026 are datasette-agent (an LLM-powered assistant that can now execute write operations against SQLite databases [1]), datasette-apps (sandboxed HTML/JS mini-applications backed by Datasette's parameterized stored-query system [5]), and datasette-tailscale (an early-alpha plugin exposing a Datasette instance over a Tailnet [3]). Willison uses AI tools — Claude Code for implementation research and Claude Fable 5 for security review — throughout the development process itself [4][5].

Why it matters

The project illustrates a specific pattern: an individual developer using LLMs both to accelerate difficult implementation research (e.g., navigating SQLite C-API internals) and to stress-test security — a combination that found a real privilege-escalation vulnerability before public release [5]. The datasette-apps sandboxing model (CSP-locked iframes with database write access restricted to pre-approved parameterized queries) is a practical, replicable design for LLM-generated web artifacts that need persistent data storage without opening arbitrary SQL write paths.

Open questions

  • Column provenance mapping — tracking which source table.column each result column derives from — is Willison's stated next step for Datasette query display [4]. Which of the three discovered approaches (apsw, ctypes, EXPLAIN analysis) will land in the codebase?

  • The --unsafe flag in datasette-agent 0.3a0 auto-approves all write operations [1]. How will the project manage the tension between the default safety-prompt model and power-user demand for frictionless database modification?

  • datasette-tailscale 0.1a0 carries open questions about its underlying proxy mechanism and depends on the experimental tailscale-rs Rust library [3]. Will it stabilize into a supported plugin?

  • Claude Fable 5 performed the security evaluation that found the privilege-escalation bug in datasette-apps [5] but was subsequently banned by the US government [4]. What model or process replaces it for future security review work on this project?

Narrative

Simon Willison has been building Datasette since 2017 as an open-source tool for exploring and publishing SQLite databases. In 2026, he has been layering AI capabilities directly into the ecosystem — both by creating LLM-powered plugins and by using LLMs extensively as development and security tools.

The centerpiece of the current work is datasette-agent, a plugin that lets an LLM interact with a Datasette instance through a defined set of tools. Version 0.3a0, released June 15, adds an execute_write_sql tool that prompts the user for approval before modifying the database, with an --unsafe flag that bypasses approval entirely for power users who want to chat their way into direct database modification [1]. datasette-apps (at 0.1a2) provides a system for hosting self-contained HTML+JavaScript applications inside sandboxed iframes within Datasette; write access to the database is constrained to pre-approved parameterized stored queries, and CSP configuration for those apps now requires a dedicated apps-set-csp permission, with an optional allowed_csp_origins allow-list for non-privileged users [2]. A third plugin, datasette-tailscale, arrived at 0.1a0 on June 16 using Python bindings for the experimental tailscale-rs Rust library to expose a local Datasette server over a Tailnet [3].

AI tooling has played a direct role in developing these plugins. To investigate column provenance — mapping SQLite query result columns back to their source table.column — Willison used Claude Code running Opus 4.8, which surfaced three working approaches: one using the apsw library, one calling the SQLite C API directly via ctypes (since Python's standard sqlite3 module does not expose sqlite3_column_table_name()), and one parsing EXPLAIN output [4]. For Datasette Apps, Willison ran a full security evaluation using Claude Fable 5 before the public announcement; the model found a path where a low-privileged user could create a malicious app to exfiltrate data from an administrator who visited it. Willison fixed the vulnerability — the CSP meta tag injected into each iframe is immutable once set, preventing JavaScript running inside the frame from removing the policy — and shipped the feature [5].

A detail threading through these posts: Claude Fable 5 performed the datasette-apps security evaluation before being banned by the US government; by the time Willison did the later column provenance research, the model was unavailable and he used Opus 4.8 instead [4][5]. Willison has also embedded a copyable LLM prompt containing the database schema directly in the datasette-apps plugin, so users can generate new apps by pasting it into any chat interface without Datasette-specific knowledge [5].

Timeline

  • 2026-05-21: datasette-agent initial launch announced on the Datasette blog. [6][7]
  • 2026-06-10: datasette-agent 0.2a0 released. [8]
  • 2026-06-13: Willison publishes research on mapping SQLite result columns to source table.column, using Claude Code (Opus 4.8) to find three implementation approaches; notes Claude Fable is now banned by the US government. [4]
  • 2026-06-15: datasette-agent 0.3a0 released: adds execute_write_sql tool with user-approval prompt and --unsafe auto-approve flag. [1]
  • 2026-06-15: datasette-apps 0.1a2 released: CSP origin configuration restricted to new apps-set-csp permission; fragment-link navigation bug fixed. [2]
  • 2026-06-16: datasette-tailscale 0.1a0 released as early alpha, using Python bindings for the experimental tailscale-rs Rust library. [3]
  • 2026-06-18: Full Datasette Apps announcement: describes sandboxing architecture, Claude Fable 5's security evaluation finding a privilege-escalation vulnerability, and the stored-query write-access model. [5]

Perspectives

Simon Willison

Building AI-native Datasette plugins at a steady pace, using LLMs throughout — for implementation research, security review, and as an end-user interaction layer. Transparent about design trade-offs (safety prompts vs. the --unsafe escape hatch) and about the role of AI-assisted security review in catching real vulnerabilities.

Evolution: Consistent across all posts; his approach of treating AI tools as a core part of the development workflow is established, not a new departure.

[4][1][2][3][5]

Claude Fable 5 (Anthropic model, used as security evaluator)

Identified a real privilege-escalation vulnerability in datasette-apps before public release, where a low-privileged user could exfiltrate data by tricking an administrator into visiting a malicious app.

Evolution: First appearance as a named actor in this thread; Willison treated the model's finding as authoritative and fixed the vulnerability on its basis. The model was subsequently banned by the US government, removing it as a future resource for this project.

[5][4]

Tensions

  • Write-access safety vs. usability: datasette-agent's default model requires explicit user approval before any SQL write executes, but the --unsafe flag bypasses all prompts, giving power users frictionless database modification via chat at the cost of the safety guarantee. [1]
  • Privilege stratification in CSP configuration: non-privileged users in datasette-apps can only select from an admin-curated allowed_csp_origins allow-list, while users with the apps-set-csp permission can configure arbitrary network and CSP origins — a balance between open customization and admin control over which external resources apps can reach. [2][5]

Status: active and growing

Sources

  1. [1] datasette-agent 0.3a0 — Simon Willison (2026-06-15)
  2. [2] datasette-apps 0.1a2 — Simon Willison (2026-06-15)
  3. [3] datasette-tailscale 0.1a0 — Simon Willison (2026-06-16)
  4. [4] Mapping SQLite result columns back to their source `table.column` — Simon Willison (2026-06-13)
  5. [5] Datasette Apps: Host custom HTML applications inside Datasette — Simon Willison (2026-06-18)
  6. [6] Datasette Agent — reactive:datasette-agent-launch
  7. [7] Datasette Agent, an extensible AI assistant for Datasette - Datasette Blog — reactive:datasette-agent-launch
  8. [8] Release: datasette-agent 0.2a0 — reactive:willison-datasette-ai-tools