Execute Python code using Pyodide with output capture. When generating images, they will be automatically saved to the output directory instead of being displayed. Images can be accessed from the saved file paths that will be included in the output.
AI agents invoke pyodide_execute to trigger actions in Mcp Pyodide. What it does depends on the arguments the agent supplies, and its effects often reach beyond the immediate call — builds kicked off, notifications sent, workflows started.
This tool directly executes arbitrary Python code, which is the definition of the Execute category. The severity is high because Python code execution can perform side effects depending on the arguments (file operations, network requests, system calls, data manipulation, etc.), giving an AI agent significant capability to affect external systems.
From the tool's definition Tool name is 'pyodide_execute' and description states it will 'Execute Python code using Pyodide'. The description explicitly indicates code execution capability with output capture, and mentions automatic file operations (saving images to output directory).
Documented attack patterns abuse exactly the kind of access pyodide_execute gives an agent:
PolicyLayer is an MCP gateway — it sits between your AI agents and Mcp Pyodide, and nothing reaches the server without passing your rules. This is the rule we recommend for pyodide_execute:
{
"version": "1",
"default": "deny",
"tools": {
"pyodide_execute": {
"limits": [
{
"counter": "pyodide_execute_rate",
"window": "minute",
"max": 10,
"scope": "grant"
}
]
}
}
}pyodide_execute stays usable, but rate-capped — a runaway agent can't fire it dozens of times a minute. Everything else on the server is denied unless you say otherwise.
Free to start. No card required.
Execute Python code using Pyodide with output capture. When generating images, they will be automatically saved to the output directory instead of being displayed. Images can be accessed from the saved file paths that will be included in the output. It is categorised as a Execute tool in the Mcp Pyodide MCP Server, which means it can trigger actions or run processes. Use rate limits and argument validation.
Register the Mcp Pyodide MCP server in PolicyLayer and add a rule for pyodide_execute: allow, deny, rate-limit, or require approval. Point your MCP client at the PolicyLayer proxy URL and the rule is enforced on every call, before it reaches Mcp Pyodide. Nothing to install.
pyodide_execute is a Execute tool with high risk. Execute tools should be rate-limited and have argument validation enabled.
Yes. Add a rate_limit block to the pyodide_execute rule in your PolicyLayer policy. For example, setting max: 10 and window: 60 limits the tool to 10 calls per minute. Rate limits are tracked per agent session and reset automatically.
Set action: deny in the PolicyLayer policy for pyodide_execute. The AI agent will receive a policy violation error and cannot call the tool. You can also include a reason field to explain why the tool is blocked.
pyodide_execute is provided by the Mcp Pyodide MCP server (yonaka15/mcp-pyodide). PolicyLayer sits as a proxy in front of this server to enforce policies before tool calls reach the server.
Start from Mcp Pyodide, add the rest of your stack, and see everything your agents can call. Then put policy on all of it.
Free to start. No card required.
5 Mcp Pyodide tools catalogued and risk-classified — across an index of 43,000+ MCP servers.