Do **not** define the `nimcore` conditional symbol and then the VM does not offer staticExec/staticRead anymore. You also need to ensure that `vmopsDanger` is not set in `c.config.features`. I claim the VM's sandboxing is then very good.
- Sandboxing untrusted Nimscript code dsrw
- Sandboxing untrusted Nimscript code Araq
