/ Directory / Playground / CodeRunner
← All servers ↗ GitHub
● Community instavm ⚡ Instant

CodeRunner

by instavm · instavm/coderunner

VM-isolated code execution for agents — Python, Playwright, persistent Jupyter kernel, all sandboxed off your host.

CodeRunner gives Claude (and other agents) a secure, persistent sandbox: run Python with a long-lived Jupyter kernel, scrape with Playwright, manipulate PDFs and images. Container-based VM-level isolation means you can let an agent execute untrusted code without trashing your machine. Exposes itself as MCP so it works in any client.

▶ Watch demo 📦 Install 💡 Use Cases

Why use it

Key features

Live Demo

What it looks like in practice

ready

Install

Pick your client

~/Library/Application Support/Claude/claude_desktop_config.json  · Windows: %APPDATA%\Claude\claude_desktop_config.json
{
  "mcpServers": {
    "coderunner-skill": {
      "command": "git",
      "args": [
        "clone",
        "https://github.com/instavm/coderunner",
        "~/.claude/skills/coderunner"
      ],
      "_inferred": true
    }
  }
}

Open Claude Desktop → Settings → Developer → Edit Config. Restart after saving.

~/.cursor/mcp.json · .cursor/mcp.json
{
  "mcpServers": {
    "coderunner-skill": {
      "command": "git",
      "args": [
        "clone",
        "https://github.com/instavm/coderunner",
        "~/.claude/skills/coderunner"
      ],
      "_inferred": true
    }
  }
}

Cursor uses the same mcpServers schema as Claude Desktop. Project config wins over global.

VS Code → Cline → MCP Servers → Edit
{
  "mcpServers": {
    "coderunner-skill": {
      "command": "git",
      "args": [
        "clone",
        "https://github.com/instavm/coderunner",
        "~/.claude/skills/coderunner"
      ],
      "_inferred": true
    }
  }
}

Click the MCP Servers icon in the Cline sidebar, then "Edit Configuration".

~/.codeium/windsurf/mcp_config.json
{
  "mcpServers": {
    "coderunner-skill": {
      "command": "git",
      "args": [
        "clone",
        "https://github.com/instavm/coderunner",
        "~/.claude/skills/coderunner"
      ],
      "_inferred": true
    }
  }
}

Same shape as Claude Desktop. Restart Windsurf to pick up changes.

~/.continue/config.json
{
  "mcpServers": [
    {
      "name": "coderunner-skill",
      "command": "git",
      "args": [
        "clone",
        "https://github.com/instavm/coderunner",
        "~/.claude/skills/coderunner"
      ]
    }
  ]
}

Continue uses an array of server objects rather than a map.

~/.config/zed/settings.json
{
  "context_servers": {
    "coderunner-skill": {
      "command": {
        "path": "git",
        "args": [
          "clone",
          "https://github.com/instavm/coderunner",
          "~/.claude/skills/coderunner"
        ]
      }
    }
  }
}

Add to context_servers. Zed hot-reloads on save.

claude mcp add coderunner-skill -- git clone https://github.com/instavm/coderunner ~/.claude/skills/coderunner

One-liner. Verify with claude mcp list. Remove with claude mcp remove.

Use Cases

Real-world ways to use CodeRunner

Let Claude run untrusted code without putting your laptop at risk

👤 Devs experimenting with auto-generated code ⏱ ~15 min intermediate

When to use: You want Claude to write + run a script you didn't fully review.

Prerequisites
  • macOS Apple Silicon + Python 3.10+ — Current limitation; Linux support varies
  • Skill installed — git clone + ./install.sh per project README
Flow
  1. Hand it the task
    Use coderunner. Write a Python script that downloads my Strava activities CSV from <url>, parses, and computes weekly mileage. Run it in the sandbox.✓ Copied
    → Script executed; output shown; nothing touched my filesystem
  2. Iterate
    Add a chart of weekly mileage. Re-run.✓ Copied
    → Chart rendered; kernel state preserved (no re-import)
  3. Export results
    Save CSV + chart to ./out/ on host (this only).✓ Copied
    → Only that one path written; sandbox stays sealed

Outcome: Quick experiments without 'oops, it deleted /Users'.

Pitfalls
  • Network access still allowed in sandbox — Disable network if running truly untrusted code; otherwise it can exfiltrate
Combine with: filesystem

Persistent data analysis with Claude

👤 Analysts using Claude as a Jupyter copilot ⏱ ~30 min beginner

When to use: You want a 30-minute exploratory data session without losing kernel state.

Flow
  1. Load data once
    Use coderunner. Load /data/sales.csv into df. Show schema + 5 sample rows.✓ Copied
    → df in kernel; persists for the session
  2. Ad-hoc queries
    Pivot by region × month, show top 5 anomalies.✓ Copied
    → Pivot + flagged rows
  3. Export
    Save the anomalies subset to /out/anomalies.csv on host.✓ Copied
    → CSV in /out/

Outcome: Notebook-quality analysis through chat, with actual code running.

Pitfalls
  • Kernel state drifts across long sessions; results based on stale variables — Restart the kernel between unrelated tasks; Claude can issue %reset
Combine with: filesystem

Scrape a JS-heavy site safely

👤 Devs needing one-off data from SPAs ⏱ ~20 min intermediate

When to use: Site needs full browser; you don't want a Chrome process running on your host.

Flow
  1. Spin up a session
    Use coderunner Playwright. Open <url>, wait for the table, extract rows as JSON.✓ Copied
    → JSON returned; browser stayed in sandbox
  2. Iterate selectors
    Selector missed the price column; adjust to find it.✓ Copied
    → Updated selector; data complete

Outcome: Data extracted; no host browser footprint.

Pitfalls
  • Site detects headless and blocks — Switch to chromium with --headed=false-but-stealth options the skill exposes

Combinations

Pair with other MCPs for X10 leverage

coderunner-skill + filesystem

Move data in/out of the sandbox via mounted paths only

Mount only /Users/me/data and /Users/me/out; everything else is read-only.✓ Copied
coderunner-skill + duckduckgo-mcp

Search → fetch → analyze pipeline

Search via duckduckgo, scrape via coderunner Playwright, analyze in Python.✓ Copied

Tools

What this MCP exposes

ToolInputsWhen to callCost
run_python code: str Any code execution 0
browser_navigate url, wait_for? Playwright session for SPA scraping 0
browser_extract selector, format Pull data after navigate 0
pdf_ops input_path, op, args PDF merge / split / extract 0
image_ops input_path, op, args Resize, format conversion, OCR 0
kernel_reset Between unrelated sessions 0

Cost & Limits

What this costs to run

API quota
None — local
Tokens per call
Just the code/output tokens
Monetary
Free
Tip
Persistent kernel saves tokens vs re-importing; reset only when state is wrong

Security

Permissions, secrets, blast radius

Minimum scopes: Mounted filesystem paths only Network on/off via config
Credential storage: Don't put secrets in the sandbox unless you're OK with the agent seeing them
Data egress: If network is on, sandbox can hit any URL — disable for sensitive runs
Never grant: Mount of $HOME or / — sandbox loses its point

Troubleshooting

Common errors and fixes

install.sh fails on Linux

Project is macOS Apple Silicon first-class; Linux support varies. Check the issues for distro-specific notes

Playwright stale state

Run kernel_reset; old browser context can persist across calls

Sandbox can't reach the internet

Network disabled in config; flip if you need it. Conversely, isolate when not needed

PDF/image skill missing dependencies

Container image bundles common ones; rebuild image to add custom deps

Alternatives

CodeRunner vs others

AlternativeWhen to use it insteadTradeoff
Anthropic code execution betaYou want server-side execution without local sandboxCloud-side; data leaves your machine
Docker by handYou want full control of the container imageManual setup; no MCP server out of the box

More

Resources

📖 Read the official README on GitHub

🐙 Browse open issues

🔍 Browse all 400+ MCP servers and Skills