Simon Willison's Weblog

Dean W. Ball highlights that frontier AI models have a narrow window to recoup training costs before competition erodes margins, and that AI infrastructure investment assumes a global market.

Timothy B. Lee compares the misconception that LLMs take no skill to the idea that managing employees requires no learning curve.

Fernando Irarrázaval ran a challenge on hackmyclaw.com to see if anyone could leak secrets held by his OpenClaw test instance via email. After 6,000 attempts ($500 in tokens, a suspended Google account), nobody succeeded. The model Opus 4.6 used an anti-prompt-injection prompt. This shows training against injection attacks is working, but caution remains necessary.

A hypothetical incident report by Andrew Nesbitt describing two AI review agents from competing vendors spiraling into a disagreement loop over a package's maliciousness, resulting in massive inference costs and a press release.

OpenAI announced a limited preview of the GPT-5.6 series, including the flagship model Sol, a balanced model Terra, and a fast, affordable model Luna. Terra matches GPT-5.5 performance at half the cost, while Luna delivers strong capability at the lowest price. Pricing per 1M tokens: Sol $5 input / $30 output; Terra $2.50 / $15; Luna $1 / $6. The series also introduces improved prompt caching with explicit breakpoints and a 30-minute minimum cache life. Due to U.S. government engagement, the release begins with a limited preview for trusted partners before broader availability.

German court rules Google liable for errors in its AI overviews. Bruce Schneier argues AI agents are agents of the deploying organization, and allowing businesses to hide behind faulty AI creates perverse incentives.

Inspired by Mozilla's new MDN MCP service, Simon Willison converted the mdn/browser-compat-data repository into a SQLite database. He used Claude Code for web (Opus 4.8) and sqlite-utils to generate the conversion script, and a GitHub Actions workflow to deploy the ~66MB database to GitHub CDN with open CORS headers, enabling direct download and exploration via Datasette Lite.

Tom MacWright observes that an increasing number of job applications are fully or partially generated by LLMs, making candidates 'accidentally anonymous'.

Simon Willison built a browser playground to test whether Origin Private File System (OPFS) can enable Datasette Lite to edit persistent SQLite files on the user's computer.

Researchers found that LLMs cannot reliably distinguish privileged text from user input, and are more influenced by text style than actual content. 'Destyling' reduces attack success from 61% to 10%, highlighting the fundamental issue of role confusion.

Simon Willison ports the Moebius 0.2B image inpainting model to run in the browser using Claude Code, converting PyTorch to ONNX for WebGPU execution. The project demonstrates the feasibility of client-only AI applications and results in a working demo at simonw.github.io/moebius-web/.

sqlite-utils 4.0rc1, the first release candidate for v4, introduces built-in database migrations and nested transactions via db.atomic(), along with several minor breaking changes.

Cloudflare announced a new feature allowing users to deploy Cloudflare Workers projects without creating an account, using the `--temporary` flag. The deployment lasts 60 minutes and can be claimed later. The feature, though marketed for AI agents, is useful for everyone.

Sean Lynch comments on Hacker News about the value of MCP (Model Context Protocol), highlighting its ability to isolate the auth flow outside the agent's context window and potentially out of the harness entirely. He suggests the idealized MCP might just be an auth gateway, but that alone would be a win.

Datasette Apps is a new plugin that lets users run self-contained HTML+JavaScript applications inside a tightly sandboxed iframe within their Datasette instance. These apps can perform read-only SQL queries and, with stored queries, write operations. The plugin leverages iframe sandbox attributes and Content Security Policy for security, uses postMessage and MessageChannel for locked-down APIs, and supports AI-assisted app generation via copyable prompts. The article discusses a security vulnerability fix involving CSP allow-listing, visible logging, and the broader vision for Datasette's evolution into a richer tool ecosystem.

Chinese AI lab Z.ai released GLM-5.2, a 753B parameter Mixture of Experts model with 1M token context, under MIT license. It leads the Artificial Analysis Intelligence Index among open weights models but is token-hungry. It also ranks 2nd on Code Arena WebDev. Despite strong performance on SVG generation, it shows inconsistency compared to its predecessor GLM-5.1.

Charity Majors observes that in 2025, the economics of code production flipped: code became free and instant, transforming from a treasured resource to a disposable commodity.

Datasette 1.0a34 introduces tools to insert, edit, and delete rows directly within the Datasette interface, inspired by Datasette Agent.

Kate Moussouris confirms that the 'jailbreak' which got Claude Fable 5 banned under export control was actually its ability to fix code. Experts warn that preventing AI from fixing bugs weakens defense, and non-technical decision-makers may ban models that help secure code based on misunderstanding.

Cybersecurity expert Katie Moussouris revealed that Anthropic shared a White House report on the Fable jailbreak with her. The report showed that Fable refused to review code for security issues but complied when asked to fix the code, which Moussouris considered the model working as intended for cyberdefense.

Simon Willison uses Cloudflare's Managed Challenge to protect his faceted search from aggressive crawlers, but even simple ?q=term searches triggered the challenge. Using Claude Code, he discovered a rule that only triggers CAPTCHA for search URLs containing at least one ampersand, allowing simple searches to pass through without challenge.

Datasette Agent 0.3a0 introduces a new execute_write_sql tool that requests user approval before writing to databases, enhancing chat mode with approval support and a --unsafe option for auto-approving operations.

An Axios piece reveals that personality clashes between Anthropic and the US government led to the shutdown of its AI models (Mythos and Fable) under export controls. Sources suggest solutions include making models jailbreak-proof or improving attitudes.

Arvind Narayanan and Sayash Kappor argue that AI will not cause mass unemployment, even in software engineering, citing NY WARN Act data and the real bottlenecks of the profession: deciding what to build, verifying deliveries, and deep human understanding.

Pyodide 314.0 now allows WebAssembly-compiled Python packages to be published directly to PyPI and installed at runtime, greatly simplifying distribution. The example package luau-wasm has been successfully published, and 28 packages are already using this new method.

Determining the source table.column for each result column in arbitrary SQLite queries is feasible because SQLite computes this internally and exposes it via its column-metadata API when compiled with SQLITE_ENABLE_COLUMN_METADATA. While Python's standard sqlite3 module doesn't surface this information, robust methods exist: using the third-party apsw library provides direct access with cursor.description_full, or a pure-stdlib ctypes bridge (column_provenance.py) can retrieve the C function sqlite3_column_table_name(), and another approach relies on parsing EXPLAIN output.

Simon Willison updates his OpenAI WebRTC Audio Session tool to support the new GPT-Realtime-2 model and allow pasting document context for conversational audio exploration.

Andrew Singleton in 'AI Economics for Dummies' satirizes the hype and circular economics in the AI industry through a story of a crematorium and a propane company.

Simon Willison details how Claude Fable 5 autonomously debugged a CSS scrollbar bug using numerous creative techniques, including writing test pages, injecting JavaScript, and building a CORS server. The session cost ~$12.11 and highlights both the power and danger of unsandboxed coding agents.

Datasette 1.0a33 is a significant alpha release extending the ?_extra= pattern to queries and rows, now documented. An AI-built API explorer demonstrates the feature.