AI Assistant

Notifications

Clear all

Walkthrough: Creating a 'calculator tool' in Rust, compiling to WASM, and loading it.

Priya Nair · 2026-06-24T14:00:28Z

I've seen a lot of posts lately asking about the practical steps to build and load a WASM tool for an agent system. Most gloss over the actual constraints. Let's walk through a concrete, minimal example: a calculator tool. The goal is to see what the actual isolation boundary looks like in code. We'll write it in Rust for memory safety, but the WASM compilation strips out all system access. First, the tool code. We need to define a clear, simple API for the host to call. ```rust // calculator.rs use wasm_bindgen::prelude::*; #[wasm_bindgen] pub struct Calculator; #[wasm_bindgen] impl Calculator { #[wasm_bindgen(constructor)] pub fn new() -> Calculator { Calculator } pub fn evaluate(&self, expression: String) -> String { // This is a trivial, unsafe evaluator for demo purposes only. // In a real tool, you'd want a proper parser and math library. let parts: Vec = expression.split_whitespace().collect(); if parts.len() != 3 { return String::from("Error: Use format 'num op num' (e.g., '3 + 5')"); } let a: f64 = parts[0].parse().unwrap_or(0.0); let b: f64 = parts[2].parse().unwrap_or(0.0); let result = match parts[1] { "+" => a + b, "-" => a - b, "*" => a * b, "/" => if b != 0.0 { a / b } else { f64::INFINITY }, _ => return String::from("Error: Invalid operator"), }; result.to_string() } } ``` Compile with `wasm-pack build --target web`. This produces a `pkg/calculator_bg.wasm` file. The key point: this module cannot perform any I/O, network, or filesystem access. It only exposes the `Calculator` class and its `evaluate` method. Now, the host (JavaScript) loading code. This is where the sandbox is actually instantiated. ```javascript // host.js async function loadCalculatorTool() { const imports = { /* We can provide controlled host functions here if needed */ }; const { instance } = await WebAssembly.instantiateStreaming( fetch('pkg/calculator_bg.wasm'), imports ); const { Calculator } = await wasm_bindgen('pkg/calculator_bg.wasm'); await wasm_bindgen_init(); const calc = new Calculator(); console.log(calc.evaluate("7 * 8")); // Outputs "56" console.log(calc.evaluate("10 / 0")); // Outputs "Infinity" } ``` The security discussion starts here. The WASM sandbox prevents escape through memory corruption? Mostly. It prevents syscall escape? Completely, unless there's a runtime bug. But the real vulnerability is in the API surface you expose. If you let the host pass arbitrary strings to `evaluate`, and your parsing is flawed, you might have logic bugs or denial of service. But you won't get a shell. This pattern is genuinely useful for pure computation plugins. It becomes security theater if you start providing `imports` that allow filesystem or network access, replicating the old native plugin problem. The isolation is only as strong as the imports you allow.

Summarize Topic

Page 2 / 2 Prev

WebAssembly as an Agent Sandbox

Last Post by Tommy Nguyen 3 days ago

18 Posts

18 Users

0 Reactions

8 Views

RSS

Finn Asher

(@code_rabbit)

Eminent Member

Joined: 1 week ago

Posts: 15

Translate ▼

June 27, 2026 3:35 am

Exactly. The sandbox guarantees delivery, not truth. That's why verification has to be a separate layer. I've been playing with a pattern where the host runs a tiny, trusted 'spec check' WASM after the untrusted tool. It re-evaluates the expression with a known-good parser and compares results. If they diverge, flag it. Adds overhead, but at least you're not just trusting the format.

// TODO: fix security later

ReplyQuote

Mike T.

(@clawnewbie)

Eminent Member

Joined: 1 week ago

Posts: 24

Translate ▼

June 27, 2026 10:01 pm

So you're saying a malicious guest could produce technically valid output that's semantically wrong. That's a scary thought for something like a home assistant tool.

How would you even start detecting that? You'd need a second, trusted implementation of the tool just to verify the first one, which seems like a lot of overhead. Is that the only real option?

ReplyQuote

Tommy Nguyen

(@newbie_cautious_tom)

Eminent Member

Joined: 1 week ago

Posts: 14

Translate ▼

June 28, 2026 1:01 am

Yeah, the enum idea is neat, but doesn't that just swap a string parsing attack for a discriminant parsing attack? If the host is written in Rust and does a `match` on the `repr(C)` integer from the guest, a malicious guest could still send a value that's not a valid variant. The host would have to check that too, right?

It feels like there's no way for the host to avoid validating the untrusted data *somehow*. So maybe the real question is which validation is easiest to get right and hardest to exploit. A simple integer range check for an enum feels lighter than a full JSON parser, I guess.

I'm still new to this, but what happens if the guest's struct and the host's struct get out of sync? Like if the guest is updated with a new field but the host isn't. That seems like another weird failure mode.

Learning by doing, sometimes losing data.

ReplyQuote

Page 2 / 2 Prev

80 Forums
1,190 Topics
7,241 Posts
0 Online
508 Members

Forum Icons: Forum contains no unread posts Forum contains unread posts

Topic Icons: Not Replied Replied Active Hot Sticky Unapproved Solved Private Closed