feat: behavioral session tracking with multi-step attack detection

[gemini2026]

Problem

NemoClaw enforces container-level network and filesystem policies, but has no visibility into behavioral patterns across a session. An agent that reads credentials, fetches external data, and then attempts network egress is executing a multi-step exfiltration attack — but each individual action may appear benign in isolation. Without session-wide tracking, these attack patterns go undetected.

Proposal

Add a behavioral session tracker under nemoclaw/src/security/ that monitors capability accumulation across agent sessions and detects the "trifecta" pattern: credential read + external data ingestion + network egress.

Design

Three capability classes tracked per session:

• read_sensitive — agent read credential or configuration files (.ssh/, .aws/, .env, etc.)
• ingested_untrusted — agent fetched from external URLs or piped untrusted data
• has_egress — agent attempted network egress (curl, wget, git push, etc.)

Risk classification:

• 0 capabilities = "clean"
• 1–2 capabilities = "elevated"
• All 3 capabilities = "critical" (trifecta detected)

Session exposure API:

• Record capability events with tool name and detail
• Query capabilities, risk level, and trifecta status per session
• List all sessions with summaries
• Get detailed exposure data: sensitive files accessed, external URLs contacted, egress attempts (with deduplication)

Event limits:

• Maximum 100 events per session to bound memory usage

Scope

• New file: nemoclaw/src/security/session-tracker.ts
• New file: nemoclaw/src/security/session-tracker.test.ts
• New file: docs/reference/session-tracker.md
• No changes to existing NemoClaw code
• Full Vitest test coverage

Non-goals

• Automatic policy escalation (consumer decides what to do when trifecta is detected)
• Persistent session storage (in-memory only for this module)
• Integration with OpenShell's tool-call interception (future work)

[wscurran]

✨ Thanks for submitting this proposal with a detailed summary, it addresses a security concern and proposes a feature to add behavioral session tracking with multi-step attack detection, which could improve security and prevent attacks in NemoClaw.

---

Possibly related open PRs:

• #965 feat(security): add behavioral session tracker with trifecta detection

[gemini2026]

PR at #965.

[prekshivyas]

Closing this issue. PR #965 implemented the proposed session tracker and went through multiple review rounds. After thorough review, we've decided the approach doesn't fit NemoClaw's security model:

1. Tool-call tracking is bypassable — agents exfiltrate via shell execution (bash_execute), which the tracker can't inspect
2. Detection-only doesn't prevent harm — NemoClaw's security model is enforcement-based (Landlock, network policies, secret scanner), not observation-based
3. High false positive rate — every internal API call would trigger ingested_untrusted, drowning real signals

Behavioral detection for agent exfiltration belongs at the network layer (OpenShell's L7 proxy), where egress is visible regardless of which tool initiated it.

See the full review on PR #965 for details.