Running Python code in a sandbox with MicroPython and WASM

This article discusses the author's experimentation with running Python code in a sandbox using MicroPython compiled to WebAssembly (WASM). The goal is to safely execute plugin code within Python applications like Datasette, LLM, and sqlite-utils, preventing malicious or buggy plugins from accessing files, network, or system resources. The author introduces the micropython-wasm alpha package and a Datasette Agent plugin. Key sandbox requirements include easy PyPI installation, memory and CPU limits, controlled file and network access, and support for host function interaction. The article covers the motivation, technical approach, and building process.