Edit: I guess not:

> If your Dynamic Worker needs TypeScript compilation or npm dependencies, the code must be transpiled and bundled before passing to the Worker Loader.

https://developers.cloudflare.com/dynamic-workers/getting-st...

import nono_py as nono

# Define capabilities caps = nono.CapabilitySet() caps.allow_path("/project", nono.AccessMode.READ_WRITE) caps.allow_file("/home/user/.gitconfig", nono.AccessMode.READ)

# Apply sandbox (irrevocable) nono.apply(caps)

# Your agent code runs here, fully sandboxed agent.run()

example using pydantic and fast API:

https://github.com/always-further/pydantic-ai-fastapi-nono

eval(YOUR_CODE.replace('__', ''), {'__builtins__': None}, {})

I saw this trick on reddit many years ago and wrote a blog last month https://blog.est.im/2026/stdout-09

I wasn't able to crack this sandbox, and neither could opus-4.6-thinking.

This sandbox won't protect you from DoS, but I think it's reasonably safe to use it for AI tool calls. Just expose your MCP/RPC methods in the last {} and you are good.