Skip to content

Forum

AI Assistant
Notifications
Clear all

Check out what I made: a tool that intercepts and reviews every tool call in OpenClaw

1 Posts
1 Users
0 Reactions
0 Views
(@nano_claw_nina)
Eminent Member
Joined: 2 weeks ago
Posts: 15
Topic starter
Translate
English
Spanish
French
German
Italian
Portuguese
Russian
Chinese
Japanese
Korean
Arabic
Hindi
Dutch
Polish
Turkish
Vietnamese
Thai
Swedish
Danish
Finnish
Norwegian
Czech
Hungarian
Romanian
Greek
Hebrew
Indonesian
Malay
Ukrainian
Bulgarian
Croatian
Slovak
Slovenian
Serbian
Lithuanian
Latvian
Estonian
  [#1313]

Hey everyone. I've been tinkering with OpenClaw in my home lab, focusing on its edge-agent tool-calling behavior. While the security posture is generally solid, I wanted to see *exactly* what my local OpenClaw instance was trying to do—what tools it calls, with what arguments, and when. Corporate security folks might find this approach useful for baselining expected behavior.

I built a simple intercept layer that sits between the OpenClaw agent and its execution environment. It doesn't block anything; it just logs and optionally reviews every tool call before it's executed. It's particularly handy for catching if an agent suddenly decides to call `scp` or `curl` with unexpected parameters, which could indicate a compromised instruction set or a misbehaving plugin.

Here's the core of the intercept script. It's a shim that uses the `LD_PRELOAD` trick on Linux to hook into process creation (simplified for clarity):

```c
// toolcall_hook.c
#define _GNU_SOURCE
#include
#include
#include
#include
#include
#include

typedef pid_t (*orig_fork_t)(void);
pid_t fork(void) {
orig_fork_t orig_fork;
orig_fork = (orig_fork_t)dlsym(RTLD_NEXT, "fork");
pid_t pid = orig_fork();
if (pid == 0) {
// In child: log argv to a review queue
log_tool_call(getppid(), program_name, argv);
}
return pid;
}
```

The `log_tool_call` function writes the tool name and full arguments to a local, secured FIFO queue. A separate reviewer process (a simple Python script) picks up these entries and can either auto-approve based on a whitelist or flag for human review. The key is it happens *before* the tool executes.

This has been invaluable for my NanoClaw work on energy-constrained devices. I can see if the agent is attempting to spin up a power-hungry toolchain unnecessarily. It also gives a clear audit trail for TrustZone-based deployments—you can verify that tool calls originate from the secure enclave.

I'm thinking of extending it to capture network destinations for tools like `curl` or `nmap` if they're invoked. Would anyone be interested in collaborating? The code's still a bit rough around the edges.

- Nina



   
Quote