Simon Willison — co-creator of the Python web framework Django and the author of the open-source data exploration tool Datasette. Through his blog simonwillison.net he writes prolifically about the practical use of AI and LLMs, and is one of the most influential voices in the field.
Simon Willison argues that the key skill for engineers going forward is "designing agentic loops". Rather than polishing prompts, he says, you should design the "loop" within which an agent can experiment on its own. In this article we dig into that idea with concrete examples.
This article is our own research and summary of Simon Willison's blog posts. The quotations are excerpts from the original articles, with sources listed at the end of this post. For the precise nuance of the original wording, please always refer to the original articles.
1. Defining "agent" and "agentic loop"
He defines an agent in practical terms, not as a buzzword:
My preferred definition of an LLM agent is something that runs tools in a loop to achieve a goal.
The art of using them well is to carefully design the tools and loop for them to use.
— Designing agentic loops (2025-09-30)
In other words, an agent is "something that runs tools in a loop toward a goal", and the skill of using one well is to carefully design which tools to give it and what loop to build. It shows that an engineer's edge has shifted from "prompts" to "loop design".
2. The fuel that keeps the loop running is "tests"
For a loop to converge, the agent needs to be able to verify its own work by itself. He treats tests as the single most important means of that verification.
The value you can get from coding agents and other LLM coding tools is massively amplified by a good, cleanly passing test suite.
— Designing agentic loops (2025-09-30)
Conversely, without tests, "the agent may claim it 'worked' when in fact it never actually tested anything at all" (Vibe engineering, 2025-10-07). The presence or absence of verification, he argues, is exactly what determines whether an autonomous loop works.
3. YOLO mode and its three risks
He is an enthusiastic user of "YOLO mode" (--dangerously-skip-permissions), which skips permission confirmations. As long as it is isolated, the agent can clear away tedious, repetitive work unattended. He also spells out the risks clearly.
# YOLO mode: lets it run tools back-to-back without confirmation (i.e. only with isolation)
claude --dangerously-skip-permissions
1. Bad shell commands deleting or mangling things you care about.
— Designing agentic loops (2025-09-30)
2. Exfiltration attacks where something steals files or data visible to the agent.
3. Attacks that use your machine as a proxy to attack another target.
4. The solution is a sandbox — ideally "someone else's computer"
His answer to those risks is a sandbox. His phrasing is brilliant:
The only solution that's credible is to run coding agents in a sandbox.
The best sandboxes are the ones that run on someone else's computer! That way the worst that can happen is someone else's computer getting owned.
— Living dangerously with Claude (2025-10-22)
That is why a remote environment like GitHub Codespaces is preferable, and he adds that cutting off network access closes the path for data exfiltration.
Concrete example: the "$5 disposable organization" on Fly.io
His signature real-world example is when he investigated slow cold starts of an app on Fly.io. He wanted to let Claude Code handle everything — editing the Dockerfile, deploying, and measuring startup time — but he was worried about the cost. So—
So I created a dedicated organization for just this one investigation, set a $5 budget, issued an API key and set Claude Code loose on it!
— Designing agentic loops (2025-09-30)
He created an organization dedicated to this one investigation, capped the budget at $5, issued an API key, and set Claude Code loose. The safety rules he advocates for credentials are simple:
- Provide credentials for test/staging environments rather than production ("Try to provide credentials to test or staging environments")
- For any credential that can spend money, set a tight budget limit ("If a credential can spend money, set a tight budget limit.")
5. Identifying the "right kinds of problems"
He frames agentic loops as especially effective for problems that have clear success criteria and where trial and error pays off. The four concrete examples he gives are:
- Debugging — a test is failing; investigate the root cause
- Performance optimization — this SQL is slow; would adding an index speed it up?
- Dependency upgrades — catching up on a backlog of version updates
- Shrinking container size — the Docker image is too big
What they all share is a mechanically measurable success signal — "the tests pass / the query gets faster / the image gets smaller". As he puts it, coding agents are "really good at running shell commands", which is exactly why these tasks are such a good fit.
6. Distinguishing "vibe coding" from "vibe engineering"
He clearly separates two things that are often conflated. Vibe coding means "having an LLM write code without reviewing it". That is fun and genuinely useful for low-risk, throwaway projects. Real professional work, on the other hand, is vibe engineering — an attitude of "boldly and confidently continuing to take responsibility" while using an LLM. His golden rule for production code, in summary, is "never commit code you cannot explain accurately to someone else". His consistent position is that AI is, above all, a tool that amplifies existing expertise.
AI tools amplify existing expertise. The more skills and experience you have as a software engineer the faster and better the results you can get from working with LLMs and coding agents.
— Vibe engineering (2025-10-07)
Series: Learning How to Use Claude Code from Renowned Engineers
References
- Simon Willison, "Designing agentic loops" (September 30, 2025) — https://simonwillison.net/2025/Sep/30/designing-agentic-loops/
- Simon Willison, "Living dangerously with Claude" (October 22, 2025) — https://simonwillison.net/2025/Oct/22/living-dangerously-with-claude/
- Simon Willison, "Vibe engineering" (October 7, 2025) — https://simonwillison.net/2025/Oct/7/vibe-engineering/
- Simon Willison, "Not all AI-assisted programming is vibe coding" (March 19, 2025) — https://simonwillison.net/2025/Mar/19/vibe-coding/
Frequently Asked Questions (FAQ)
What does Simon Willison mean by "designing agentic loops"?
He defines an agent as "something that runs tools in a loop to achieve a goal", and says the skill of using them well lies in carefully designing which tools to provide and what loop to build around them. It reflects the idea that an engineer's edge has shifted from crafting prompts to designing loops.
How does Simon Willison deal with the dangers of YOLO mode?
He says the only credible solution is to run the agent in a sandbox, ideally on "someone else's computer" such as GitHub Codespaces, and to cut off network access to close the path for data exfiltration. As a concrete example, he describes creating a dedicated investigation organization on Fly.io with a $5 budget and setting Claude Code loose on it.
How does Simon Willison distinguish between vibe coding and vibe engineering?
Vibe coding means "having an LLM write code without reviewing it", which he considers genuinely useful for low-risk, throwaway projects. Vibe engineering, by contrast, is professional work where you keep accountability while using an LLM, and his golden rule is "never commit code you cannot explain accurately to someone else". His consistent stance is that AI is a tool that amplifies existing expertise.