Code Execution
also known as Code-Then-Execute, CodeAct, Program of Thoughts
Let the model emit code, run it in a sandbox, and treat the run as the answer instead of trusting the model to compute in its head.
This pattern helps complete certain larger patterns —
- specialisesTool Use★★— Let the LLM produce typed calls against an external toolkit instead of producing free-form text the surrounding system has to parse.
- used-byCode-as-Action Agent★— Have the agent emit a code snippet as its action each step, executed in a constrained interpreter, instead of emitting JSON tool calls; tool composition becomes function nesting and control flow inside the snippet.
Context
A team is building an agent for a task that involves arithmetic, data manipulation, parsing, or other deterministic computation. The deployment can host a sandboxed Python or JavaScript interpreter (or another container-based execution environment) that the agent's code blocks can run inside.
Problem
Large language models routinely get arithmetic wrong, miscount items in a list, and round numbers inconsistently when they try to compute the answer in their head. A small numeric error early in a workflow invalidates every downstream step, and the model offers no audit trail for how it arrived at a wrong number. Asking the model to be more careful does not fix the underlying issue: the computation never becomes a step the model can rerun or inspect.
Forces
- Sandbox setup adds latency.
- Generated code may import unsafe modules or run forever.
- Execution results must round-trip back into the model's working context.
Example
A finance agent answers 'what was the average gross margin across these 47 orders?' by reading the rows and trying to compute the answer in its head, getting it wrong by 1.4 percentage points. The team enables Code Execution: the agent emits a short Python snippet that loads the data and computes the average in a sandbox, and the run's stdout becomes the answer. The model's strength stays at constructing the right calculation; the arithmetic stops being something it has to hallucinate.
Diagram
Solution
Therefore:
The agent emits a code block; a controlled interpreter (Python sandbox, JS VM, container) runs it; stdout/stderr/return value flow back. Repeat under a step budget. CodeAct treats code as the action language directly.
What this pattern forbids. Computation happens in the sandbox; the model's free-form numeric output is not trusted.
And the patterns that stand alongside it, or against it —
- composes-withReAct★★— Interleave a single thought, a single tool call, and a single observation per step so the agent reasons over fresh evidence.
- composes-withDeterministic-LLM Sandwich★— Bracket every LLM call with deterministic checks on both sides.
- composes-withSkill Library★— Let the agent grow its own toolkit by writing reusable skills that subsequent runs can call.
- complementsSandbox Isolation★★— Run agent-emitted code or actions in a contained environment with restricted filesystem, network, and process privileges.
- complementsWebAssembly Skill Runtime·— Package each agent skill as a WebAssembly module with a capability manifest, and run it inside a Wasm runtime that enforces those capabilities, so untrusted skills cannot weaken the host's sandbox.
- complementsCode-Then-Execute with Dataflow Analysis★— Have the agent emit code in a sandbox DSL whose values are statically tagged trusted/tainted via dataflow analysis before execution, enabling per-value policy enforcement.
- complementsVibe-Coding Without Security Review✕— Anti-pattern: developer scaffolds an agent prototype with a code-generation tool and ships the generated code with no security review; ~90% of agent-generated code contains vulnerabilities without explicit security prompts.
- complementsRecursive Language Model·— Treat an over-long prompt as an environment the model navigates by code, letting it partition and recursively call itself over snippets, so it answers over inputs far larger than its context window.
Neighbourhood
Click any neighbour to follow the language. Scroll to zoom, drag to pan.
Used in recipes
Used in frameworks
- Azure AI Foundry Agent Service
Code Interpreter is a built-in tool that runs Python in a Microsoft-managed Hyper-V-isolated sandbox (Azure Container Apps dynamic sessions) for data analysis, math, and chart gen…
- Cline
Commands run in user's terminal; long-running processes monitored in background.
- AutoGen
DockerCommandLineCodeExecutor is the recommended execution backend; sandboxed by container.
- Botpress
Tools in the ADK are functions the AI model can call during execute(); the model decides which tools to call based on the conversation, and TypeScript handler functions hold the c…
- CAMEL-AI
Execution backends include Python, shell, and browser interpreters for live code evaluation.
- OpenHands
Bash and code execution run inside Docker sandbox; process and remote alternatives also documented.
- Vertex AI Agent Builder
Agent Engine provides managed Code Execution so agents can run Python/JavaScript in a secure, isolated sandbox with state preserved across calls; supports file I/O and TTL up to 1…
- Agno
PythonTools and ShellTools are pre-built toolkits that let agents execute Python and shell commands; save_to_file_and_run / run_python_code are explicit code-execution functions.
- Aider
Auto-lint + auto-test feedback loop; non-zero exits drive retry.
- Amazon Bedrock Agents
Code interpretation generates and runs code in a secure sandbox; supports analysis and file processing.
Show 20 more
- Codex CLI
workspace-write mode lets Codex edit files and run local commands inside the sandbox boundary.
- BeeAI Framework
Code execution is a built-in tool alongside web search and weather.
- XAgent
Python notebook tool.
- Devin
Devin writes, runs, and tests code inside its VM.
- Replit Agent
Cloud workspace runs the code Agent writes; Agent tests its own work.
- TaskWeaver
- Genspark
The Clawverse showcase claim implies the agent runs and iterates on generated code; details of the execution environment are not in the public docs we could fetch.
- OpenAgents
- AutoAgent
Code generation and execution via Docker containerization.
- OpenManus
PythonExecute is one of Manus's headline tools; the DataAnalysis Agent is dedicated to executable code analysis.
- GitHub Copilot Coding Agent
The agent executes automated tests and linters inside the ephemeral GitHub Actions environment.
- Anthropic Computer Use
bash and text_editor tools execute commands and edit files in the sandbox.
- Goose
Goose can install, execute, edit, and test inside the user's machine.
- Plandex
Plandex runs commands and auto-debugs in full-auto; controlled rollback is integral.
- AutoGPT
CodeExecutorComponent with per-agent Docker sandbox.
- Bisheng
Bisheng ships a named Code Executor with two execution modes — E2B (cloud sandbox) and Local — whose generated files surface directly in task results. Workflow graph also exposes…
- Pochi
Command execution is a documented tool; custom agents can restrict shell commands via executeCommand specifiers.
- Open Interpreter
Runs Python, JavaScript, Shell, and more locally.
- bolt.new
WebContainer is an in-browser Node runtime; the agent runs npm tools, dev servers, and shells inside it.
- Modal
Sandboxes are advertised explicitly as the primitive for executing LLM-generated code.
References
Provenance
- Source: patterns/code-execution.md on GitHub · commit
4fa1213· view history - Added to catalog:
- Last updated:
- Contribute: open an issue or PR at github.com/agentpatternscatalog/patterns.