Create a Python Sandbox for Agents to Run Code

with Pyodide and Deno (via Pydantic AI)

Pydantic AI have put together a very clever, secure and lightweight sandbox that agents can run code in.

I show how to use the sandbox and how it compares with Docker and with the restricted CPython approach taken by SmolAgents.

Cheers, Ronan

P.S. The scripts are in the ADVANCED-inference repo:

Buy the Scripts

---

Video Links:

• mcp-run-python

---

Trelis Links:

🤝 Are you a talented developer? Work for Trelis

💡 Need Technical or Market Assistance? Book a Consult Here

💸 Starting a New Project/Venture? Apply for a Trelis Grant

---

Secure Code Execution: A Guide to Python Sandboxing Approaches

Three main approaches exist for sandboxing Python code execution, each with distinct tradeoffs in security, speed, and capability:

Deno-Pyodide Approach

1. Converts Python code to WebAssembly

2. Runs via Deno runtime instead of Node.js

3. Provides granular control over:

   1. Folder access permissions

   2. Network access

4. Sub-second startup time

5. Limited to WebAssembly-compatible libraries

6. Cannot run PyTorch or use CUDA

Docker/Podman Approach

1. Full container isolation

2. Supports all Python libraries

3. Slower startup (several seconds)

4. Higher resource usage

5. Can run GPU-accelerated code

Restricted CPython

1. Uses abstract syntax tree parsing

2. Implements operation counting

3. Whitelists allowed imports

4. Bans dangerous commands (exec, eval, open)

5. Limited filesystem protection

6. Fastest startup time

Implementation Details: DenoPyodide

The recommended DenoPyodide approach works by:

1. Converting Python code to WebAssembly

2. Executing via Deno runtime with permission controls

3. Using MCP (Machine Code Protocol) server from Pydantic AI

Required setup:

1. Install Deno runtime

2. Install UV package manager

3. Configure MCP server with:

   1. Network access controls

   2. Read/write permissions for node_modules only

   3. JSR repository configuration

Limitations

DenoPyodide restrictions:

1. No PyTorch support

2. No CUDA support

3. Limited to WebAssembly-compatible libraries

4. NumPy and core Python features work well

For cases requiring full PyTorch/CUDA support or other unsupported libraries, Docker/Podman approaches remain necessary despite their slower startup times.

Security Considerations

The DenoPyodide approach provides multiple security layers:

1. WebAssembly isolation

2. Deno permission controls

3. Limited filesystem access

4. Optional network restrictions

This makes it suitable for running untrusted code while maintaining reasonable performance characteristics.