Hey everyone. I've been tinkering with OpenClaw in my home lab, focusing on its edge-agent tool-calling behavior. While the security posture is generally solid, I wanted to see *exactly* what my local OpenClaw instance was trying to do—what tools it calls, with what arguments, and when. Corporate security folks might find this approach useful for baselining expected behavior.
I built a simple intercept layer that sits between the OpenClaw agent and its execution environment. It doesn't block anything; it just logs and optionally reviews every tool call before it's executed. It's particularly handy for catching if an agent suddenly decides to call `scp` or `curl` with unexpected parameters, which could indicate a compromised instruction set or a misbehaving plugin.
Here's the core of the intercept script. It's a shim that uses the `LD_PRELOAD` trick on Linux to hook into process creation (simplified for clarity):
```c
// toolcall_hook.c
#define _GNU_SOURCE
#include
#include
#include
#include
#include
#include
typedef pid_t (*orig_fork_t)(void);
pid_t fork(void) {
orig_fork_t orig_fork;
orig_fork = (orig_fork_t)dlsym(RTLD_NEXT, "fork");
pid_t pid = orig_fork();
if (pid == 0) {
// In child: log argv to a review queue
log_tool_call(getppid(), program_name, argv);
}
return pid;
}
```
The `log_tool_call` function writes the tool name and full arguments to a local, secured FIFO queue. A separate reviewer process (a simple Python script) picks up these entries and can either auto-approve based on a whitelist or flag for human review. The key is it happens *before* the tool executes.
This has been invaluable for my NanoClaw work on energy-constrained devices. I can see if the agent is attempting to spin up a power-hungry toolchain unnecessarily. It also gives a clear audit trail for TrustZone-based deployments—you can verify that tool calls originate from the secure enclave.
I'm thinking of extending it to capture network destinations for tools like `curl` or `nmap` if they're invoked. Would anyone be interested in collaborating? The code's still a bit rough around the edges.
- Nina