Hey folks. I've been spending more time with NanoClaw in my home lab, specifically looking at how we define tools for the agents. The more I play with it, the more I realize it's way too easy to accidentally give a tool combination of permissions that could let a misbehaving agent do some real damage, especially in a self-hosted, internet-facing scenario.
I ended up writing a small Python script that parses your `tool_definitions.yaml` (or similar) and flags dangerous patterns. It's not a full static analyzer, but it catches the obvious stuff. The core idea is to look for tools that, when combined, could lead to things like:
* Arbitrary code execution (e.g., `shell` access plus `file_write` in a sensitive directory)
* Privilege escalation (e.g., ability to modify agent config or systemd units)
* Data exfiltration (e.g., `database_query` plus `network_access` without constraints)
Here's the basic version I started with. It loads definitions and checks against a simple rule set.
```python
#!/usr/bin/env python3
import yaml
import sys
# Define dangerous permission combos (tool_name: [list of other risky tool names])
RISKY_COMBOS = {
"execute_shell_command": ["write_file", "manage_processes"],
"write_file": ["read_system_config"],
"query_database": ["send_http_request"],
}
def check_tool_definitions(filepath):
with open(filepath, 'r') as f:
tools = yaml.safe_load(f)
tool_names = [tool['name'] for tool in tools['tools']]
found_issues = []
for primary_tool, risky_companions in RISKY_COMBOS.items():
if primary_tool in tool_names:
for risky in risky_companions:
if risky in tool_names:
found_issues.append(f"Combo: '{primary_tool}' + '{risky}'")
return found_issues
if __name__ == "__main__":
issues = check_tool_definitions(sys.argv[1])
if issues:
print("Potential risky permission combinations found:")
for issue in issues:
print(f" - {issue}")
sys.exit(1)
else:
print("No obvious dangerous combos found.")
```
You'd run it like `python3 check_tools.py ./config/tool_definitions.yaml`. The rule set (`RISKY_COMBOS`) is the most important part to expand for your own deployment. Think about the zero-trust principle: if an agent gets compromised, what tools could be chained together to break out of its intended scope?
This is a first pass. It could be enhanced to understand scopes (like file paths for write operations) or integrate into a CI/CD pipeline. For now, it's a simple sanity check before you deploy. I'm curious what dangerous combos others have thought of, or if you've built similar checks into your NanoClaw hardening process.