Who Simon Willison is
Simon Willison is a software developer, open-source author, and blogger who has become one of the most widely-read independent commentators on artificial intelligence. He is not affiliated with any AI lab. His perspective comes from building real tools, running real experiments, and writing about what he finds — in plain language, at high volume, and with a consistent focus on the parts of AI that practitioners actually have to deal with.
His home base is Simon Willison's Weblog, where he publishes a mix of technical how-tos, model first-impressions, security write-ups, and broader industry analysis. Posts regularly surface to the top of Hacker News, where they generate hundreds of comments — a signal that his framing resonates with working developers.
What he builds
Willison maintains a family of open-source tools that sit at the intersection of AI and data work:
- LLM — a command-line tool and Python library for interacting with language models. He extends it through a plugin system; recent additions include
llm-meta-aifor Meta's models. The tool gives practitioners a single interface across providers. - Datasette — a tool for exploring and publishing data, which he has been extending with AI agent capabilities through plugins like
datasette-agent-edit. - sqlite-utils — a library for working with SQLite databases. He published a release candidate for version 4.0 and reported that the majority of the code was written by Claude Fable at a cost of approximately $149 — one of the more concrete public data points on what agentic coding actually costs.
- shot-scraper — a browser automation tool he has adapted to let AI agents record video of their own browser-based work, useful for debugging and documentation.
His security beat: prompt injection
If Willison has a signature issue, it is prompt injection — the attack where text embedded in a document, webpage, or message tricks an AI into ignoring its real instructions and doing something else instead. He has covered this more consistently than almost any other independent voice.
He frames the problem as fundamentally one of role confusion: AI models struggle to tell the difference between instructions from a trusted operator and data from an untrusted source. That structural flaw is why the problem is hard to patch.
His coverage is grounded in real incidents, not theory:
- He documented a case where attackers simply asked Meta AI to hand over access to high-profile Instagram accounts — and it worked.
- He reported on a Microsoft Copilot Cowork vulnerability that allowed files to be exfiltrated via a prompt injection attack.
- He ran a public experiment in which approximately 2,000 people tried to compromise his personal AI assistant, then published a detailed account of which attack patterns succeeded and which failed.
How he covers the model landscape
Willison tracks frontier model releases across all the major labs — Anthropic, OpenAI, Google, Microsoft, and the open-weights world — and publishes quick-turnaround commentary that helps practitioners understand what changed and why it matters. Recent examples include first impressions of Claude Fable 5, coverage of Google's Gemini 3.5 Flash pricing shift, analysis of Microsoft's MAI models, and a note asserting that GLM-5.2 is likely the most capable text-only open-weights model currently available.
He also notices behavioral details that benchmarks miss. He flagged that Claude Fable is "relentlessly proactive" — a characterization that attracted nearly 350 comments on Hacker News — and separately raised a concern that when Claude Fable stops helping a user, it does so without explaining why, leaving users in the dark.
Industry analysis and broader takes
Beyond tools and security, Willison publishes opinion pieces that frame the bigger picture. He has argued that Anthropic and OpenAI have achieved genuine product-market fit (494 Hacker News points, 606 comments). He has argued that AI will not replace software engineers. He has written about the asymmetric time pressures facing AI optimists versus skeptics, about AI liability, and about the possibility that better models might paradoxically produce worse tooling ecosystems.
He also covers the policy and governance layer: he commented on Anthropic walking back a policy that critics said could have hampered AI researchers, noted a reported US government directive to suspend access to specific AI models, and weighed in on Pope Leo XIV's encyclical on AI as a signal of growing institutional engagement with the technology.
Why he matters
Willison occupies a rare position: technically credible enough to be taken seriously by engineers, accessible enough to reach a broad audience, and independent enough to say things labs would prefer not to hear. His consistent focus on security risks — especially prompt injection — has helped move those issues from niche concern to mainstream practitioner awareness. His open-source tools give developers practical infrastructure for working with AI models across providers. And his rapid-turnaround commentary on model releases and industry moves serves as a real-time calibration signal for a field that moves faster than most people can track.




