2026-05-20

Simon Willison — 2026-05-20#

Highlight#

Simon takes a critical look at Google I/O’s Gemini Spark announcement, digging into the opaque “Antigravity” stack and questioning how Google plans to mitigate prompt injection risks for a tool with deep access to user data. This highlights the growing industry tension between powerful workspace AI agents and fundamental security vulnerabilities.

Posts#

[Google I/O, Gemini Spark, Antigravity] · Source Sticking to his rule of only reviewing generally available tools, Simon breaks down the announcement of Gemini Spark, Google’s new OpenClaw competitor that natively integrates with Workspace apps. He notes a strange FAQ detail claiming Spark runs on “Antigravity”—a moniker applied to a desktop app, a Go-based CLI, and a VS Code fork. Crucially, Simon questions whether Google’s isolated VM approach and Agent Gateway will actually be enough to prevent an “agent security challenger disaster” when handling sensitive data via prompt injection. He also highlights that Google is deprecating its open-source Gemini CLI on June 18th in favor of a closed-source Antigravity CLI.

2026-05-21

Simon Willison — 2026-05-21#

Highlight#

The major news today is the official announcement of Datasette Agent, merging Simon’s three years of work on the LLM library with Datasette to create an extensible, conversational AI assistant for querying data. It represents a huge milestone for his ecosystem, opening the door for users to naturally interrogate their databases and easily build custom tools using a new plugin architecture.

Posts#

Datasette Agent Simon officially announced Datasette Agent, a conversational AI interface that lets users ask questions of the data stored in Datasette. The post features a live demo using Gemini 3.1 Flash-Lite to successfully query a blog database to find a bird-watching record. He highlights a growing plugin ecosystem—including charts, image generation, and sandbox execution—and notes that tools like Claude Code and OpenAI Codex are proving excellent at writing these extensions. Looking ahead, Simon teased a major refactor for his LLM library, a Claude Artifacts-style plugin, and a personal AI assistant named “Claw” built using his older Dogsheep tools.

2026-05-24

Simon Willison — 2026-05-24#

Highlight#

Today’s most resonant post is a highlighted quote from Armin Ronacher calling out the damaging rise of AI-generated “slop” in open-source issue trackers. It serves as a stark, practical reminder that while AI coding agents are powerful, developers must preserve raw, human-observed context in bug reports rather than relying on LLMs to rewrite and hallucinate root causes.

Posts#

[Quoting Armin Ronacher] · Source Simon amplifies Armin Ronacher’s frustration with a new, frustrating failure mode in open-source maintenance: AI-rewritten issue reports. Users are feeding observed bugs into LLMs (referred to as “clankers”), which spit out confident but highly inaccurate guesswork, fake-minimal repros, and irrelevant code analogies. The core takeaway is a plea to return to the basics of bug reporting: simply state what command you ran, what you expected, what actually happened, and provide the exact error log.

2026-05-26

Simon Willison — 2026-05-26#

Highlight#

Today’s updates emphasize the dual-edged sword of AI in security, contrasting how AI tools are overwhelming open-source maintainers with a flood of valid vulnerability reports while simultaneously introducing novel data exfiltration risks in enterprise agentic systems like Microsoft Copilot.

Posts#

The pressure · Source Daniel Stenberg highlights the unprecedented toll that high-quality, AI-assisted security reports are taking on the curl project’s team. The volume of credible vulnerabilities has surged to over one report per day—double the rate seen in 2025—leading to severe work-life balance issues for maintainers. Fortunately, because curl is well-architected, these AI-discovered flaws are almost exclusively categorized as LOW or MEDIUM severity, with no HIGH severity issues found since late 2023.

2026-05-27

Simon Willison — 2026-05-27#

Highlight#

Simon makes a compelling case that April 2026 marks a new inflection point where frontier AI labs have found true product-market fit with coding agents. By analyzing sudden enterprise pricing pivots, sales hiring sprees, and massive inference compute deals, he illustrates how the enterprise adoption of AI agents is finally turning massive usage into real revenue.

Posts#

I think Anthropic and OpenAI have found product-market fit Simon argues that the sudden shift by OpenAI and Anthropic to charge enterprise customers full API token prices for agent usage signals true product-market fit. He notes that heavy coding agent users easily burn thousands of dollars in token equivalents, prompting labs to pivot away from middlemen like Cursor or Copilot to capture this enterprise value directly. The piece features some classic Simon dogfooding—using Claude Code and Datasette Agent to analyze AI lab job listings—and highlights a SpaceX S-1 filing revealing Anthropic’s staggering $1.25 billion monthly compute spend.

2026-05-28

Simon Willison — 2026-05-28#

Highlight#

Anthropic’s release of Claude Opus 4.8 brings welcome improvements to model honesty and prompt caching, which Simon immediately put to the test using his newly updated llm-anthropic CLI plugin to generate SVGs of pelicans riding bicycles.

Posts#

Claude Opus 4.8: “a modest but tangible improvement” Simon highlights Anthropic’s refreshing honesty in marketing this release as an incremental upgrade, noting the model’s decreased hallucination rate achieved by simply abstaining when uncertain. Key technical changes include a reduced prompt cache minimum of 1,024 tokens and the ability to insert system messages mid-conversation, which preserves cache hits and reduces input costs in agentic loops. He tested the model by generating SVG pelicans riding bicycles at different thinking levels via his LLM CLI, using Opus 4.8 to build the rendering HTML tool and relying on GPT-5.5 as a “code security blanket” to patch XSS vulnerabilities.

2026-06-01

Simon Willison — 2026-06-01#

Highlight#

The standout piece today is a staggering security failure at Meta, where an overly empowered AI support bot allowed hackers to hijack high-profile Instagram accounts simply by asking. It serves as a stark, practical reminder of the dangers of wiring LLMs directly into sensitive operational workflows without robust authorization safeguards.

Posts#

Hackers Simply Asked Meta AI to Give Them Access to High-Profile Instagram Accounts. It Worked Simon highlights a massive security oversight where attackers successfully bypassed the Instagram account recovery process merely by instructing Meta’s AI support bot to link a new email address to a target username. He notes this barely qualifies as a sophisticated prompt injection, but rather a profound architectural failure where Meta granted an AI chatbot the ability to fast-forward through the entire account recovery process. The core takeaway is a blunt warning to developers: never wire your support bots to execute one-shot account takeovers.

2026-06-02

Simon Willison — 2026-06-02#

Highlight#

The most substantive post today is Simon’s commentary on Microsoft’s newly announced MAI models, which stand out not just for their small parameter counts (5B and 35B) but for the surprising claim that they were trained entirely on “clean and commercially licensed data”. This could signal a major shift away from models relying on unlicensed web scrapes.

Posts#

Microsoft’s new MAI models · Source Simon dissects the surprise drop of two new text LLMs at Microsoft Build: MAI-Thinking-1 (a 35B reasoning model) and MAI-Code-1-Flash (a 5B model for Copilot/VS Code). He’s particularly impressed that a 35B model reportedly beats Sonnet 4.6 in human evaluations, given he regularly runs larger models locally. The biggest takeaway, however, is Microsoft’s emphasis on using “appropriately licensed” data—raising the exciting prospect of highly capable code models built without controversial web scraping.

2026-06-05

Simon Willison — 2026-06-05#

Highlight#

Simon highlights a major shift in open-source maintainership as Andreas Kling announces the Ladybird browser will no longer accept public pull requests. This points to a growing structural challenge in the generative AI era, where the sheer volume of AI-generated patches breaks the traditional open-source proxy of “effort equals good faith”.

Posts#

Quoting Andreas Kling Simon shares a striking quote from Andreas Kling regarding the Ladybird browser project’s decision to halt public pull requests. Kling notes that LLMs and generative AI have decoupled the size of a patch from the effort required to create it, effectively destroying the assumption that large patches automatically represent good-faith contributions. The core takeaway here is that as AI reshapes coding workflows, open-source projects must shift their focus entirely to strict human accountability—ensuring that the people introducing changes are fully responsible for the consequences of that code entering the project.

2026-06-06

Simon Willison — 2026-06-06#

Highlight#

The single most substantive piece today is Simon’s deep dive into building a safe WebAssembly sandbox for Python, tackling the highly risky business of executing untrusted, AI-generated code. It is a perfect example of using AI coding assistants to quickly prototype complex C and WASM integrations to solve a critical developer tooling problem.

Posts#

Running Python code in a sandbox with MicroPython and WASM · Source Simon tackles the security risks of running fully privileged plugin code in Python applications by embedding MicroPython within a WebAssembly environment. Using AI assistants like GPT-5.5 Pro, Codex Desktop, and Claude, he rapidly prototyped micropython-wasm, an alpha package that maintains persistent interpreter state and strictly controls file, network, and host function access. This vibe-coded sandbox is already powering a new code execution plugin for Datasette Agent, demonstrating a highly practical approach to executing AI-generated code safely without compromising the host system.