Agent SafetyOutlineDraft

Syscall Filtering: The Strict Diet for Agents

Blocking binaries is not enough. Seccomp allowlists shrink the system vocabulary so common exploits fail closed.

Series draft — Part 5 of 15 in Hardened Agentic Stack. Outline only; expand before un-drafting.

Phase 2: Runtime Integrity — The Local Threat Model

The Problem

Even without npx, agents can open raw sockets or manipulate file descriptors.

The Infrastructure Fix

Apply restrictive Seccomp profiles; deny high-risk syscalls not required for ClawQL core paths.

The Architecture Pattern

Syscall Allowlisting — restrict the agent’s system-level vocabulary.

Planned sections

  1. The “Oh No” moment — concrete incident or near-miss that makes the risk visceral.
  2. ClawQL context — how this control protects a high-privilege local/edge agent.
  3. Technical how-to — concrete configs, policies, or snippets a builder can apply.
  4. Safety check — what “trusted enough” looks like once this layer is in place.

Key visuals

  • Default deny seccomp profile sketch

Source modules (docs.clawql.com)

Rule of Three (keep on publish)

LayerTakeaway
ProblemEven without npx, agents can open raw sockets or manipulate file descriptors.
Infrastructure fixApply restrictive Seccomp profiles; deny high-risk syscalls not required for ClawQL core paths.
Architecture patternSyscall Allowlisting — restrict the agent’s system-level vocabulary.

About the author

Daniel Smith builds ClawQL, an agent operating system for token-efficient discovery and execution over APIs — with observability, hardened tool boundaries, and production routing for LLM workloads. He writes here about the systems problems behind shipping agents.