P.S. I was casually searching for "sandboxed Python" for an experiment I'm working on, and reached this article that was published "today". Very nice coincidence! Thanks.
Running arbitrary untrusted code safely is pretty easy nowadays, so long as the code is written in Javascript and you want to run it in a browser. It's only a little harder if the code is written in another language but targets WASM and browser APIs, or if you want to run your WASM inside of NodeJS, and there's even good support for running Python in a browser or Node.
Once you get away from running in a JS environment or away from code that's written with the intention of running in a WASM sandbox, if you don't want to have to modify the code for your environment then you're going to start having problems. This looks like a good step for anyone wanting to run arbitrary Python outside of a browser environment.
Fair -- but I was more meaning that when I browse an arbitrary untrusted website I almost always allow the site owner to run arbitrary untrusted code on my machine. They might not send me any JS, but if they do then my browser will happily execute it.
My use-cases for server-side WASM Python are described here: https://simonwillison.net/2026/Jun/6/micropython-in-a-sandbo... - basically I want to offer end-user customization features that run custom code without buggy or malicious code crashing my app or leaking their data.
This stuff always gets me anxious for no reason because of the underlying tokenizer and prediction stochastic parrot that runs stuff, makes me wonder if I should rerun the prompt correcting the typo or accept the token tax on some interpreter that spent translating the intention.
I've tried it out a bit - it does look solid and it has a good team behind it.
It's a subset of Python though (much more so than MicroPython), which is fine for LLMs since they can easily work around any limitations but does mean you can't use a lot of existing Python code with it. I hope they implement classes soon!
I'm also a little bit nervous about the safety. It's a fresh implementation in Rust, which means plenty of possibilities for edge case security bugs. The thing I like about WebAssembly is that there's a robust, well tested sandbox already - better for defense in depth.
I certainly wouldn't bet against Monty though! It may well prove itself to be a great solution for this.
Our technology is much more general that WebContainers, and it's based on a Linux-compatible WebAssembly kernel. It also supports real command line tools, including git, bash and the complete set of busybox utilities.
The version of Claude Code you see running is completely unmodified.
The architecture is a fairly straightforward WebAssembly-native monolithic kernel. Most of the complexities come from making things work well within the browser constraints for real world, large apps.
We have quite a bit of experience on the topic however, these are previous projects of ours:
WebVM (https://webvm.io): x86 Debian shell running client-side in the browser via x86 -> WebAssembly JIT compilation
As a matter of fact WebVM and BrowserPod share the same kernel, the difference is all on the performance side.
WebVM uses x86 virtualization and hence has a significant performance penalty, with the upside of running any existing software without needing the source code.
BrowserPod on the other hand runs WebAssembly binaries at almost native speed. Source code is required, but that is a fair compromise in the world of sandboxing. Most language runtimes and CLI tools are FOSS anyway, and many closed-source tools (such as Claude Code) are written in scripting languages and run on top of FOSS engines.
Literally working on a product that does this, hah :) I really do think that AI + automation + carefully-designed guardrails will unleash a deluge of productivity for normies, and we've barely scratched the surface.
The state of AI apps is absolutely trash right now, it’s embarrassing that these companies that raised millions are releasing the shittiest slop around without any product ethos. Obviously we're seeing what sticks, but come on guys.
I'm using Brett Cannon's `https://github.com/brettcannon/cpython-wasi-build` running inside a WASI rust container with a carefully-designed host SDK (e.g. sandboxed Chromium access, diff, sandboxed filesystem, pandas subset, PDF reading, etc.). Essentially the AI sees a goal, a plan, and essentially treats the "task space" as a WASI-powered Python notebook.
Mainly focused on the user experience, and I think that local LLMs (secure/private) + standard Python + host functions + (some external stuff like screen reading & quarantined web access) is more than enough for 90% of actionable tasks.
On linux I devised this strategy for letting llm webuis or coding agent to securely run programs by burying their environment under multiple layers of locally arranged sandboxing.
Basically: run as another user -> run inside firejail sandbox -> run inside a stripped down alpine linux vm with smolvm.
P.S. directories can be easily shared between the sandboxed guest and the host os
P.P.S. to stay a bit more on the safe side I also changed the name of the package manager for the guest os to something else so that when a coding agent would try to autonomously install external packages it will fail. I've then instructed it to (politely) ask for whatever it needs to be eventually manually installed by me
The thing that's missing is Windows support and the ability to get everything I need for it in a Python program by "pip install X" for something that includes relevant binaries as well as Python code.
[OP] theanonymousone | a day ago
tmaly | a day ago
I was thinking the client side WASM version would be useful as a platform for beginners to practice a subset of Python in.
I can't really think of any good WASI use cases.
[OP] theanonymousone | a day ago
roywiggins | a day ago
andrewaylett | a day ago
Once you get away from running in a JS environment or away from code that's written with the intention of running in a WASM sandbox, if you don't want to have to modify the code for your environment then you're going to start having problems. This looks like a good step for anyone wanting to run arbitrary Python outside of a browser environment.
simonw | a day ago
I've been doing a bunch of work recently with iframe sandbox combined with CSP which appears to be a robust way to do this.
andrewaylett | 3 hours ago
simonw | a day ago
- https://lite.datasette.io - my Datasette app in a browser
- https://simonw.github.io/research/pyodide-asgi-browser/datas... is a new, improved version of that using Service Workers that's still a little experimental - notes here: https://simonwillison.net/2026/May/30/pyodide-asgi-browser/
- https://tools.simonwillison.net/micropython runs a MicroPython playground in the browser via WebAssembly
My use-cases for server-side WASM Python are described here: https://simonwillison.net/2026/Jun/6/micropython-in-a-sandbo... - basically I want to offer end-user customization features that run custom code without buggy or malicious code crashing my app or leaking their data.
incognito124 | a day ago
I have absolutely no relation to the project except for the fact that I went to the same Uni as the creator.
era86 | a day ago
simonw | a day ago
It's not quite right for what I'm after because you can't just "pip install" it on multiple platforms.
christoff12 | a day ago
dizhn | 9 hours ago
incognito124 | 8 hours ago
hmokiguess | a day ago
Was reading your https://chatgpt.com/share/6a1e2a5c-58b8-8328-ba1c-0e6aadb0a0... and noticed the "my on Python tools" instead of "my own Python tools" (apologies for the grammar police)
This stuff always gets me anxious for no reason because of the underlying tokenizer and prediction stochastic parrot that runs stuff, makes me wonder if I should rerun the prompt correcting the typo or accept the token tax on some interpreter that spent translating the intention.
simonw | a day ago
If it looks like it didn't I hit "stop" and then edit and resubmit my prompt.
fzysingularity | a day ago
simonw | a day ago
It's a subset of Python though (much more so than MicroPython), which is fine for LLMs since they can easily work around any limitations but does mean you can't use a lot of existing Python code with it. I hope they implement classes soon!
I'm also a little bit nervous about the safety. It's a fresh implementation in Rust, which means plenty of possibilities for edge case security bugs. The thing I like about WebAssembly is that there's a robust, well tested sandbox already - better for defense in depth.
I certainly wouldn't bet against Monty though! It may well prove itself to be a great solution for this.
autogn0me | 22 hours ago
simonw | 20 hours ago
fzysingularity | 18 hours ago
I’d love to see if we can get GPU access within these runtimes, that’d be awesome.
sprak | a day ago
simonw | a day ago
I have a live demo with datasette-agent-micropython running at https://agent.datasette.io - you need to sign in with GitHub to try it.
apignotti | a day ago
https://labs.leaningtech.com/blog/browserpod-deep-dive
Node.js is now fully supported, Python is in preview and Rust is coming soon.
For a glimpse of the possibilities, check our Claude Code running fully in the browser: https://browsercode.io/claude
binyu | 18 hours ago
Are you running the version of Claude code that Anthropic distributes in the browser or did you have to adapt it to run on your stack?
Cheers
apignotti | 14 hours ago
The version of Claude Code you see running is completely unmodified.
binyu | 6 hours ago
apignotti | 5 hours ago
We have quite a bit of experience on the topic however, these are previous projects of ours:
WebVM (https://webvm.io): x86 Debian shell running client-side in the browser via x86 -> WebAssembly JIT compilation
Browsercraft (https://browsercraft.cheerpj.com): Minecraft running unmodified in the browser via our WebAssembly JVM (CheerpJ)
binyu | 4 hours ago
Keep up the great work
apignotti | 4 hours ago
WebVM uses x86 virtualization and hence has a significant performance penalty, with the upside of running any existing software without needing the source code.
BrowserPod on the other hand runs WebAssembly binaries at almost native speed. Source code is required, but that is a fair compromise in the world of sandboxing. Most language runtimes and CLI tools are FOSS anyway, and many closed-source tools (such as Claude Code) are written in scripting languages and run on top of FOSS engines.
rdksu | a day ago
dvt | 23 hours ago
The state of AI apps is absolutely trash right now, it’s embarrassing that these companies that raised millions are releasing the shittiest slop around without any product ethos. Obviously we're seeing what sticks, but come on guys.
I'm using Brett Cannon's `https://github.com/brettcannon/cpython-wasi-build` running inside a WASI rust container with a carefully-designed host SDK (e.g. sandboxed Chromium access, diff, sandboxed filesystem, pandas subset, PDF reading, etc.). Essentially the AI sees a goal, a plan, and essentially treats the "task space" as a WASI-powered Python notebook.
Mainly focused on the user experience, and I think that local LLMs (secure/private) + standard Python + host functions + (some external stuff like screen reading & quarantined web access) is more than enough for 90% of actionable tasks.
Very exciting times ahead.
tuananh | 22 hours ago
it's Rust so can be compile to wasm, example: https://github.com/hyper-mcp-rs/monty-plugin
nicolix | 20 hours ago
Basically: run as another user -> run inside firejail sandbox -> run inside a stripped down alpine linux vm with smolvm.
See the whole procedure here: https://www.reddit.com/r/LocalLLaMA/comments/1tm93ng/how_i_d...
P.S. directories can be easily shared between the sandboxed guest and the host os
P.P.S. to stay a bit more on the safe side I also changed the name of the package manager for the guest os to something else so that when a coding agent would try to autonomously install external packages it will fail. I've then instructed it to (politely) ask for whatever it needs to be eventually manually installed by me
yaodub | 18 hours ago
binsquare | 20 hours ago
simonw | 19 hours ago