Pydantic has introduced an open-source server designed to let AI agents execute Python code within a secure, isolated environment. The new tool leverages the Model Context Protocol (MCP), an open standard initiated by Anthropic, aiming to provide a standardized method for AI systems to utilize Python for tasks without direct access to the host system.
The server achieves isolation by executing code using Pyodide, a Python runtime compiled to WebAssembly (a low-level binary format enabling near-native performance in web environments), running inside the security-conscious Deno JavaScript/TypeScript runtime. This approach aims to give AI agents the ability to perform Python-based tasks safely.
It addresses a frequent challenge in building capable AI agents: allowing them to perform complex computations or interact with libraries using Python, while mitigating the security risks associated with executing arbitrary code. Pydantic’s documentation for the tool, available at ai.pydantic.dev, details its features, including robust capture of standard output, standard error, and return values, support for asynchronous code, automatic dependency management, and detailed error reporting.
A Standardized Bridge for AI Tools
The Model Context Protocol itself was launched by AI company Anthropic in November 2024. Its creation was motivated by the difficulties in connecting AI models to the diverse external tools and data sources they often need.
As Anthropic explained during the official protocol announcement, “Every new data source requires its own custom implementation, making truly connected systems difficult to scale.” MCP establishes a standard client-server architecture using standard HTTP.
AI applications function as MCP clients, querying MCP servers that expose specific capabilities like functions (Tools), data access (Resources), or interaction templates (Prompts). Pydantic’s mcp-run-python acts as a specialized server within this framework, offering the distinct capability of general Python code execution through its primary tool, identified as run_python_code in its documentation examples.
Sandboxing, Dependencies, and Usage
The security model of mcp-run-python relies on the layered sandboxing provided by Pyodide (WebAssembly) and Deno. This design inherently restricts code from accessing the host system’s file system or network unless explicitly permitted for package downloads.
An AWS blog post discussing MCP servers highlighted the benefit of such protocols allowing interaction “…all while keeping sensitive data local.” When an agent sends Python code to the server via the run_python_code tool, the server executes it and returns a structured XML response. According to the documentation examples, this response typically contains tags like (indicating success or error), (listing installed packages), (for stdout), (if applicable), and either or with traceback details.
A key feature is its handling of Python packages. According to the PydanticAI MCP documentation, the server can infer dependencies by analyzing `import` statements within the submitted code.
Alternatively, developers can explicitly declare dependencies, including specific versions for non-binary packages supported by Pyodide, using inline comments formatted according to the PEP 723 specification—a standard for embedding project metadata within single-file scripts, also utilized by tools like the uv package installer. This allows for precise control over the execution environment.
Installation and execution are handled via the Deno runtime. Pydantic’s documentation recommends using the `deno run` command with the official JSR package identifier. Specific flags (`-N`, `-R=node_modules`, `-W=node_modules`, `–node-modules-dir=auto`) are required to grant the necessary permissions for Pyodide to download and cache Python components locally in a `node_modules` directory.
This approach using Deno and JSR replaces the previously available, but now deprecated, NPM package. The server can be started in different modes: `stdio` for direct interaction with a local subprocess using the MCP stdio transport, `sse` to run as an HTTP server using the MCP Server-Sent Events transport, or `warmup` to pre-cache components and verify the setup, useful for optimizing first-run performance.
Integration Within the MCP Ecosystem
Pydantic officially announced its broader support for the MCP within the PydanticAI framework around March 20, aligning `mcp-run-python` with its agent development tools. Developers using PydanticAI (which requires Python 3.10+ for MCP features) can connect to `mcp-run-python` or other MCP servers using client classes like `MCPServerStdio` or `MCPServerHTTP`, detailed in the PydanticAI client documentation.
The library includes convenience features like the `agent.run_mcp_servers()` context manager to automatically handle the lifecycle of `stdio`-based servers. The PydanticAI examples also demonstrate integration with Logfire for observability, using `logfire.instrument_mcp()`. The server itself supports emitting execution logs as MCP logging messages, although the documentation noted a temporary limitation in the Python MCP client SDK regarding the processing of these logs at the time.
The release of `mcp-run-python` adds to a growing number of MCP server implementations. Microsoft, which integrated MCP into Azure AI around March and collaborated with Anthropic on the official C# SDK, subsequently previewed MCP servers for Azure resources and PostgreSQL in April.
Similarly, AWS launched its own suite of open-source MCP servers targeting specific AWS services like Bedrock, Lambda, and CDK, hosted in the awslabs/mcp repository. These developments indicate increasing adoption of MCP as a common interface layer.
Client applications known to support connecting to MCP servers include Anthropic’s Claude Desktop, the Cursor code editor, Amazon Q, and VS Code via GitHub Copilot Agent Mode.
Simon Willison examined `mcp-run-python`, noting the effectiveness of the Deno/Pyodide sandboxing approach and providing examples of running PydanticAI agents using the server directly via the `uv run` command.
The MCP specification itself also continues to evolve; updates around early 2025 reportedly introduced OAuth 2.1 requirements for remote authentication and refined transport mechanisms.
While the MCP offers a standardized way to extend AI agent capabilities, developers need to consider factors like potential network latency with HTTP-based transports and the responsibility of implementing robust error handling and security practices for production deployments.
