feat: behavioral session tracking with multi-step attack detection #964
Description
Problem
NemoClaw enforces container-level network and filesystem policies, but has no visibility into behavioral patterns across a session. An agent that reads credentials, fetches external data, and then attempts network egress is executing a multi-step exfiltration attack — but each individual action may appear benign in isolation. Without session-wide tracking, these attack patterns go undetected.
Proposal
Add a behavioral session tracker under nemoclaw/src/security/ that monitors capability accumulation across agent sessions and detects the "trifecta" pattern: credential read + external data ingestion + network egress.
Design
Three capability classes tracked per session:
read_sensitive— agent read credential or configuration files (.ssh/,.aws/,.env, etc.)ingested_untrusted— agent fetched from external URLs or piped untrusted datahas_egress— agent attempted network egress (curl, wget, git push, etc.)
Risk classification:
- 0 capabilities = "clean"
- 1–2 capabilities = "elevated"
- All 3 capabilities = "critical" (trifecta detected)
Session exposure API:
- Record capability events with tool name and detail
- Query capabilities, risk level, and trifecta status per session
- List all sessions with summaries
- Get detailed exposure data: sensitive files accessed, external URLs contacted, egress attempts (with deduplication)
Event limits:
- Maximum 100 events per session to bound memory usage
Scope
- New file:
nemoclaw/src/security/session-tracker.ts - New file:
nemoclaw/src/security/session-tracker.test.ts - New file:
docs/reference/session-tracker.md - No changes to existing NemoClaw code
- Full Vitest test coverage
Non-goals
- Automatic policy escalation (consumer decides what to do when trifecta is detected)
- Persistent session storage (in-memory only for this module)
- Integration with OpenShell's tool-call interception (future work)