Python

A RocketRide tool node that lets an AI agent execute Python code in a restricted in-process sandbox.

What it does

Gives an agent the ability to run Python scripts directly: for data manipulation, calculations, formatting, and any logic the agent needs to execute rather than describe. The node exposes a single tool, python.execute, which takes source code, runs it, and returns captured stdout, error tracebacks, an exit code, and an optional structured result.

Uses RestrictedPython: code is compiled with compile_restricted, which injects runtime guards against attribute/item access escapes, and runs against safe_builtins with dangerous builtins removed. Imports are gated by an allowlist: only a default set of safe, pure-computation stdlib modules (plus any extras you configure) can be imported; everything else raises ImportError. With the default allowlist there is no network, filesystem, or subprocess access.

Execution is bounded by a timeout (20 seconds by default, configurable up to 1200) and output is truncated to 50 KB. The node has no lanes: it is attached to an agent as a tool.

Configuration

Field	Type	Description
`serverName`	string	Default "python". Namespace prefix for the tool: .execute
`moduleName`	string	Default empty.
`timeout`	integer	Default 20. Maximum seconds a script may run before it is killed. Useful for long-running operations like network scans. Default is 20s, max is 1200s.
`allowedModules`	array	Modules the agent is allowed to import, in addition to the built-in defaults (math, json, re, collections, datetime, etc.).

The node has a single preconfig profile (default), which sets serverName to python.

If timeout is left unset (or is not a valid integer), the sandbox default of 20 seconds applies.

Available tools

`execute`

Execute a Python script and return its output. The tool description shown to the agent is generated dynamically and includes the effective timeout and the full list of allowed imports.

| Tool | Description | |---|---|---| | execute | Execute Python code in a sandboxed environment. |

Response:

{
	"stdout": "...",
	"stderr": "...",
	"exit_code": 0,
	"timed_out": false,
	"result": null
}

exit_code is 0 on success, 1 on exception (or blocked compilation), -1 on timeout.
stdout is the captured print() output; stderr carries the traceback if the script raised.
If the script assigns a value to a variable named result, it is returned in the result field. JSON-compatible values (str, int, float, bool, list, dict, None) are returned as-is; anything else is returned as its repr().
stdout and stderr are each truncated to 50 KB, keeping the head and tail with a truncation marker in between.
SystemExit is handled: sys.exit() / sys.exit(n) sets the exit code instead of crashing the tool.

Sandbox

Code runs in a restricted in-process sandbox built on RestrictedPython:

Restricted compilation: compile_restricted transforms the AST to inject runtime guard calls that prevent attribute/item access escapes. Code that violates the compilation policy is rejected with exit_code: 1.
Safe builtins: RestrictedPython's safe_builtins replaces the full __builtins__. A curated set of everyday data-work builtins is added back (dict, list, set, enumerate, map, filter, max, min, sum, print, type, and similar).
Allowlist-only imports: a gated __import__ permits only allowlisted modules (matched on the top-level package name). Everything else raises ImportError listing the allowed modules.
Timeout enforcement: the script runs in a daemon thread; if it exceeds the timeout the call returns with timed_out: true and exit_code: -1.

Default allowed modules

math, cmath, decimal, fractions, statistics, random, string, textwrap, re, json, csv, collections, itertools, functools, operator, copy, dataclasses, enum, typing, datetime, time, calendar, base64, hashlib, hmac, struct, difflib, pprint, bisect, heapq, array, numbers, unicodedata

Extra allowed modules and auto-install

Modules added via allowedModules are merged with the defaults. If an extra allowlisted module is imported but not installed, the node auto-installs it via pip (60-second install timeout) and retries the import.

Note that whitelisting extra modules widens the sandbox accordingly, allowing a package like requests grants the agent network access through that package. Only the default allowlist guarantees no filesystem, network, or subprocess access.

Schema

Field	Type	Description	Default
`tool_python.allowedModules`	`array`	Additional Allowed Modules Modules the agent is allowed to import, in addition to the built-in defaults (math, json, re, collections, datetime, etc.).
`tool_python.moduleName`	`string`	Module name	`""`
`tool_python.serverName`	`string`	Server name Namespace prefix for the tool: .execute	`"python"`
`tool_python.timeout`	`integer`	Execution timeout (seconds) Maximum seconds a script may run before it is killed. Useful for long-running operations like network scans. Default is 20s, max is 1200s.	`20`

What it does​

Configuration​

Available tools​

execute​

Sandbox​

Default allowed modules​

Extra allowed modules and auto-install​

Schema​