Easy Agentic Tool Calling with Gemma 4
Summary
This tutorial demonstrates how to enable agentic tool calling with Gemma 4 by giving it local filesystem and Python interpreter tools. It highlights that true agency involves interacting with the local system, not just remote web APIs. The article details building a sandboxed filesystem explorer, `list_directory_contents`, with hard path-traversal guards, and a restricted Python interpreter, `execute_python_code`, using a whitelisted `__builtins__` namespace to prevent unsafe operations. It emphasizes robust security measures for local tools. The `gemma4:e2b` variant, a 2-billion-parameter model, is shown running locally on a laptop without a GPU, successfully using these tools sequentially to answer complex queries, such as listing files and calculating their total size, demonstrating grounded inference and deterministic computation.
Key takeaway
For AI Engineers building agentic LLM applications, prioritize constructing robust security perimeters around local tools. You must implement strict sandboxing for filesystem access and Python execution, like path-traversal guards and whitelisted builtins, before handing control to models like Gemma 4. This ensures safe interaction with the local machine, transforming models from simple chatbots into truly agentic systems capable of observation and deterministic computation without compromising system integrity.
Key insights
True LLM agency requires interacting with the local system through carefully sandboxed tools, enabling observation and deterministic computation beyond remote API calls.
Principles
- Always confine tool access to a safe base directory.
- Whitelist `__builtins__` for Python execution, don't blacklist.
- Design tools to return useful error messages for model retry.
Method
Define Python functions, expose via JSON schema, pass to Ollama with prompt, intercept "tool_calls", execute locally, append result as "tool"-role message, then re-query the model for final synthesis.
In practice
- Implement path-traversal guards for filesystem tools.
- Use `exec()` with a stripped `__builtins__` for Python tools.
- Capture stdout and return specific errors for empty output.
Topics
- Agentic AI
- Tool Calling
- Gemma 4
- Local LLMs
- Python Sandboxing
- Filesystem Security
- Ollama
Code references
Best for: AI Engineer, Machine Learning Engineer, AI Student
Related on AIssential
Editorial summary, takeaway, and curation by AIssential. Original article published by KDnuggets.