So their method of sandboxing Python code is to spin up a JS runtime (deno), run Pyodide on it, and then run the Python code in Pyodide.

Seems a lot of work to me. Is this really the best way to create and run Python sandboxes?

I hacked around with this a bit and figured out a way to get it to spit out logging of the prompts and responses to the server: https://gist.github.com/simonw/54fc42ef9a7fb8f777162bbbfbba4...

Short-ish version:

    ANTHROPIC_API_KEY="$(llm keys get anthropic)" \
    uv run --with devtools --with pydantic-ai python -c '
    import asyncio
    from devtools import pprint
    from pydantic_ai import Agent, capture_run_messages
    from pydantic_ai.mcp import MCPServerStdio

    server = MCPServerStdio(
        "deno",
        args=[
            "run",
            "-N",
            "-R=node_modules",
            "-W=node_modules",
            "--node-modules-dir=auto",
            "jsr:@pydantic/mcp-run-python",
            "stdio",
        ],
    )

    agent = Agent("claude-3-5-haiku-latest", mcp_servers=[server])

    async def main():
        with capture_run_messages() as messages:
            async with agent.run_mcp_servers():
                result = await agent.run("How many days between 2000-01-01 and 2025-03-18?")
        pprint(messages)
        print(result.output)

    asyncio.run(main())'

I got it running against Mistral Small 3.1 running locally too - notes on that here: https://simonwillison.net/2025/Apr/18/mcp-run-python/

cool!! you might also want to check out https://www.mcp.run/dylibso/eval-py

It's open source too :) https://github.com/dylibso/mcp.run-servlets/tree/main/servle...

We also use Wasm to sandbox all our servlets https://docs.mcp.run/blog/2025/04/07/mcp-run-security

(I work at Dylibso)

Bookmarked it. We took another approach which provides more flexibility but at the cost of slower spin up. Basically we use firecracker vm. We mount the attachments and everything else into the vm so that the agent can run tools on them (anything on the os) and we destroy the machine at the very end. It works! It is also as secure as firecracker goes.

But I like using WASM especially in a hosted environment like Deno. It feels like a more scaleable solution and probably less maintenance too with the downside that that we wont be able to run just any cmd.

I am happy to provide more details and point to the tool is anyone is interested. It is not open-source but you can play with it for free.

All of these Agent frameworks are already overwhelming. Insert joke about parallels to the JavaScript ecosystem.

What agent framework is truly the top dog? Is it just working with the big model providers native frameworks, such as OpenAI’s Agents SDK?

Having watched the repeated immolation of blissful innocence since smart email clients would run whatever smart (OLE? Smart? I'm kidding.) document was delivered, this is going to be so much fun in a trainwreck kind of way.

I keep seeing this MCP thing and I'm really happy that people are getting into Burroughs mainframes rather than that stupid AI crap.

Nice! I'm working on a way to do this for javascript using v8 https://github.com/r33drichards/mcp-js. Right now this works but there is some significant jank.

Hi, I don’t really know anything honestly, but I do remember an ai I running on my laptop using xpip or xpython as a contained environment I think it’s a single instance, would that work or is that close???

How secure is this? I tried building something similar, but it was taking too long to setup a fully virtualized solution like kata container or firecracker.

Why not Pyodide directly in python?

Woof, use with care

Crap but it's mcp so being good isn't the point anyway

Cool!