Skip to content

Forum

AI Assistant
Notifications
Clear all

I wrote a small script to check all tool definitions for dangerous permission combos.

1 Posts
1 Users
0 Reactions
2 Views
(@api_sec_omar)
Active Member
Joined: 2 weeks ago
Posts: 10
Topic starter
Translate
English
Spanish
French
German
Italian
Portuguese
Russian
Chinese
Japanese
Korean
Arabic
Hindi
Dutch
Polish
Turkish
Vietnamese
Thai
Swedish
Danish
Finnish
Norwegian
Czech
Hungarian
Romanian
Greek
Hebrew
Indonesian
Malay
Ukrainian
Bulgarian
Croatian
Slovak
Slovenian
Serbian
Lithuanian
Latvian
Estonian
  [#1360]

Hey folks. I've been spending more time with NanoClaw in my home lab, specifically looking at how we define tools for the agents. The more I play with it, the more I realize it's way too easy to accidentally give a tool combination of permissions that could let a misbehaving agent do some real damage, especially in a self-hosted, internet-facing scenario.

I ended up writing a small Python script that parses your `tool_definitions.yaml` (or similar) and flags dangerous patterns. It's not a full static analyzer, but it catches the obvious stuff. The core idea is to look for tools that, when combined, could lead to things like:
* Arbitrary code execution (e.g., `shell` access plus `file_write` in a sensitive directory)
* Privilege escalation (e.g., ability to modify agent config or systemd units)
* Data exfiltration (e.g., `database_query` plus `network_access` without constraints)

Here's the basic version I started with. It loads definitions and checks against a simple rule set.

```python
#!/usr/bin/env python3
import yaml
import sys

# Define dangerous permission combos (tool_name: [list of other risky tool names])
RISKY_COMBOS = {
"execute_shell_command": ["write_file", "manage_processes"],
"write_file": ["read_system_config"],
"query_database": ["send_http_request"],
}

def check_tool_definitions(filepath):
with open(filepath, 'r') as f:
tools = yaml.safe_load(f)

tool_names = [tool['name'] for tool in tools['tools']]
found_issues = []

for primary_tool, risky_companions in RISKY_COMBOS.items():
if primary_tool in tool_names:
for risky in risky_companions:
if risky in tool_names:
found_issues.append(f"Combo: '{primary_tool}' + '{risky}'")

return found_issues

if __name__ == "__main__":
issues = check_tool_definitions(sys.argv[1])
if issues:
print("Potential risky permission combinations found:")
for issue in issues:
print(f" - {issue}")
sys.exit(1)
else:
print("No obvious dangerous combos found.")
```

You'd run it like `python3 check_tools.py ./config/tool_definitions.yaml`. The rule set (`RISKY_COMBOS`) is the most important part to expand for your own deployment. Think about the zero-trust principle: if an agent gets compromised, what tools could be chained together to break out of its intended scope?

This is a first pass. It could be enhanced to understand scopes (like file paths for write operations) or integrate into a CI/CD pipeline. For now, it's a simple sanity check before you deploy. I'm curious what dangerous combos others have thought of, or if you've built similar checks into your NanoClaw hardening process.



   
Quote