{"slug": "easy-agentic-tool-calling-with-gemma-4", "title": "Easy Agentic Tool Calling with Gemma 4", "summary": "Google's Gemma 4 model can now autonomously decide when to inspect its local filesystem and execute Python code, moving beyond simple web API calls toward true agentic behavior. The new implementation provides the model with a sandboxed filesystem explorer and restricted Python interpreter, enabling it to reason about its own environment and offload computational tasks. This development represents a shift from retrieval-augmented chatbots to models that can interact with and modify their local system.", "body_md": "# Easy Agentic Tool Calling with Gemma 4\n\nIn this tutorial, we will give Gemma 4 two new tools and watch the model decide, on its own, when to look around and when to compute.\n\n## # Introduction\n\n[In a recent article](https://machinelearningmastery.com/how-to-implement-tool-calling-with-gemma-4-and-python/) on Machine Learning Mastery, we built a tool-calling agent that reached **outward**, that is pulling weather, news, currency rates, and time from public APIs. That article covered the synthesis half of the pattern nicely, but it left the more interesting half on the table: an agent that reasons about its own environment, inspects its own machine, and offloads logic it doesn't trust itself to perform. It could be argued that this is closer to truly \"agentic.\"\n\nThis article picks up where that one left off. We will give Gemma 4 two new tools — a sandboxed local filesystem explorer and a restricted Python interpreter — and watch the model decide, on its own, when to look around and when to compute.\n\nTopics we will cover include:\n\n- Why \"agentic\" tool calling needs more than web APIs to be interesting\n- How to build a filesystem inspection tool with hard path-traversal guards\n- How to wire a Python interpreter tool to the model without handing it the keys to your machine\n- How the same orchestration loop from before generalizes to these new capabilities\n\nI highly recommend that you [first read this article](https://machinelearningmastery.com/how-to-implement-tool-calling-with-gemma-4-and-python/) before continuing on.\n\n## # From Conversation to Agency\n\nWhen the only tools you give a language model are read-only web APIs, essentially you still really have a chatbot, albeit one with potential access to better information. The model receives a prompt, decides which API to ping, and stitches the JSON response into a paragraph. There is no real notion of **environment**, no state to inspect, no consequence to reason about; it's a scenario more akin to [retrieval augmented generation](https://www.kdnuggets.com/7-steps-to-mastering-retrieval-augmented-generation) than true agency.\n\nAgency, in the practical sense practitioners use the word, shows up when a model starts interacting with the system it is running on. That can mean reading from a local filesystem, executing code, modifying files, calling other processes, or any combination of those. The moment a tool can do something other than return a clean string from a remote service, the model has to start asking **about** itself: what files exist, what does this number actually equal, what is in this folder before I claim it contains anything.\n\nThe Gemma 4 family, and specifically the `gemma4:e2b`\n\nedge variant we have been using, is small enough to run locally on a laptop while being competent enough at structured output to drive this kind of loop reliably. That combination is what makes the local-agentic pattern interesting in the first place. The complete code for this tutorial [can be found here](https://github.com/mmmayo13/gemma_4_tool_calling/blob/main/cmd_calling.py).\n\n## # The Architectural Reuse\n\nThe orchestration loop from the previous tutorial does not change. We define Python functions, expose them via JSON schema, pass the registry to Ollama alongside the user prompt, intercept any `tool_calls`\n\nblock on the response, execute the requested function locally, append the result as a `tool`\n\n-role message, and re-query the model so it can synthesize a final answer. The same `call_ollama`\n\nhelper, the same `TOOL_FUNCTIONS`\n\ndictionary, the same `available_tools`\n\nschema array from the previous tutorial all make appearances.\n\nWhat changes is the nature of the tools themselves. Where the previous batch were all thin clients over remote APIs, those we will build now both run code on the machine. That shifts the design problem from \"how do I parse this response\" to \"how do I make sure the model cannot, even accidentally, do something it should not be allowed to do.\"\n\n## # Tool 1: A Sandboxed Filesystem Explorer\n\nThe first tool, `list_directory_contents`\n\n, gives the model the ability to see what files exist in a given folder. This sounds trivial until you remember that `os.listdir`\n\naccepts any string, including `/`\n\n, `~`\n\n, and `../../etc`\n\n. A naive implementation could happily walk the model's \"curiosity\" straight to your API keys.\n\nThe design choice here is to pin a safe base directory at script start and reject any request that resolves outside of it:\n\n```\n# Security: confine list_directory_contents to this base directory and its descendants\n# Set to the current working directory when the script starts\nSAFE_BASE_DIR = os.path.abspath(os.getcwd())\n\ndef list_directory_contents(path: str = \".\") -> str:\n \"\"\"Lists files and directories within a path, constrained to the safe base directory.\"\"\"\n try:\n # Resolve to an absolute path and verify it sits inside SAFE_BASE_DIR\n # This blocks traversal attempts like '../../etc' or absolute paths like '/'\n requested = os.path.abspath(os.path.join(SAFE_BASE_DIR, path))\n if not (requested == SAFE_BASE_DIR or requested.startswith(SAFE_BASE_DIR + os.sep)):\n return (\n f\"Error: Access denied. The path '{path}' resolves outside the \"\n f\"permitted workspace ({SAFE_BASE_DIR}).\"\n )\n ...\n```\n\nThe pattern is simple but worth considering further. We never trust the string the model produced. We join it onto the base directory, resolve it absolutely (so `..`\n\ngets normalized away), and then verify the resolved path still starts with the base. Both `/etc/passwd`\n\nand `../../somewhere`\n\ncollapse into paths that fail that prefix check and are rejected before `os.listdir`\n\nis ever called.\n\nThe rest of the function is housekeeping: confirm the path exists and is a directory, list its contents, and format each entry as either `[DIR]`\n\nor `[FILE]`\n\nwith a byte size. The returned string is plain English with structure the model can parse on the second pass:\n\n```\n entries = sorted(os.listdir(requested))\n if not entries:\n return f\"The directory '{path}' is empty.\"\n\n lines = [f\"Contents of '{path}' ({len(entries)} item(s)):\"]\n for name in entries:\n full = os.path.join(requested, name)\n if os.path.isdir(full):\n lines.append(f\" [DIR] {name}/\")\n else:\n try:\n size = os.path.getsize(full)\n lines.append(f\" [FILE] {name} ({size} bytes)\")\n except OSError:\n lines.append(f\" [FILE] {name}\")\n return \"\\n\".join(lines)\n```\n\nThe JSON schema we hand to the model is deliberately permissive on the parameter side — `path`\n\nis optional, defaulting to the workspace root, because most useful first questions are about the current folder:\n\n```\n{\n \"type\": \"function\",\n \"function\": {\n \"name\": \"list_directory_contents\",\n \"description\": (\n \"Lists files and subdirectories inside a path within the user's workspace. \"\n \"Use this to inspect the environment before answering questions about local files.\"\n ),\n \"parameters\": {\n \"type\": \"object\",\n \"properties\": {\n \"path\": {\n \"type\": \"string\",\n \"description\": (\n \"A relative path inside the workspace, e.g. '.', 'data', or 'src/utils'. \"\n \"Defaults to the workspace root.\"\n )\n }\n },\n \"required\": []\n }\n }\n}\n```\n\nNote the description does a small amount of prompt engineering: \"Use this to inspect the environment before answering questions about local files.\" That sentence pushes Gemma 4 toward calling the tool when the user asks a vague question about \"my files\" rather than guessing at what might be there.\n\n## # Tool 2: A Restricted Python Interpreter\n\nThe second tool, `execute_python_code`\n\n, is the more dangerous and the more pedagogically interesting of the two. The premise is that language models, especially small ones, are unreliable at precise arithmetic, exact string manipulation, and anything involving more than a couple of steps of branching logic. A tool that lets the model write and run a deterministic snippet is a much better answer to those problems than asking it to reason through them in natural language.\n\nThe implementation uses `exec()`\n\nwith a deliberately stripped-down builtins namespace:\n\n``` php\ndef execute_python_code(code: str) -> str:\n \"\"\"Executes a snippet of Python code and returns whatever was printed to stdout.\n\n This is a learning-only sandbox. exec() is fundamentally unsafe; do not expose this tool\n to untrusted users or networks. The restrictions below stop the casual cases, not a \n determined attacker.\n \"\"\"\n try:\n # A minimal restricted environment. We strip __builtins__ down to a small\n # whitelist so that, e.g., open(), eval(), and __import__ are not directly\n # available from the snippet's global scope.\n safe_builtins = {\n \"abs\": abs, \"all\": all, \"any\": any, \"bool\": bool, \"dict\": dict,\n \"divmod\": divmod, \"enumerate\": enumerate, \"filter\": filter, \"float\": float,\n \"int\": int, \"len\": len, \"list\": list, \"map\": map, \"max\": max, \"min\": min,\n \"pow\": pow, \"print\": print, \"range\": range, \"repr\": repr, \"reversed\": reversed,\n \"round\": round, \"set\": set, \"sorted\": sorted, \"str\": str, \"sum\": sum,\n \"tuple\": tuple, \"zip\": zip,\n }\n # Pre-import a couple of safe, useful modules so the model doesn't have to.\n import math, statistics\n restricted_globals = {\n \"__builtins__\": safe_builtins,\n \"math\": math,\n \"statistics\": statistics,\n }\n```\n\nA few decisions worth calling out. We replace `__builtins__`\n\nentirely rather than blacklisting individual functions, which means `open`\n\n, `eval`\n\n, `exec`\n\n, `compile`\n\n, `__import__`\n\n, `input`\n\n, and anything else not in our whitelist simply does not exist inside the snippet. We pre-import `math`\n\nand `statistics`\n\ninto the snippet's globals because the model will reach for them constantly and we would rather not force it to fight `__import__`\n\nrestrictions. We capture stdout with `contextlib.redirect_stdout`\n\nso the model gets back exactly what its snippet printed:\n\n```\n # Capture stdout so we can hand the printed output back to the model\n buffer = io.StringIO()\n with contextlib.redirect_stdout(buffer):\n exec(code, restricted_globals, {})\n\n output = buffer.getvalue().strip()\n if not output:\n return \"Code executed successfully but produced no output. Use print() to return a value.\"\n return f\"Output:\\n{output}\"\n```\n\nThe empty-output branch matters more than it looks. Small models will routinely write expressions like `x = sum(range(101))`\n\nand forget the `print(x)`\n\n. Returning a specific error telling them to use `print()`\n\ngives the orchestration loop the option to retry; without it, the model would synthesize a final answer based on an empty string and confidently invent a value.\n\nA final word on safety, since the script's docstring is blunt about it: this is a learning sandbox, not a hardened one. A determined adversary can break out of a Python `exec`\n\nsandbox in a dozen ways, most of them involving object introspection through `().__class__.__mro__`\n\n. For a single-user agent running on your own laptop on your own prompts, the whitelist is plenty. For anything else, you would want a real isolation layer — a subprocess with `seccomp`\n\n, a container, or `RestrictedPython`\n\n.\n\n## # The Orchestration Loop\n\nThe main loop is unchanged in structure from the previous tutorial. The model is queried with the user prompt and the tool registry, and if it responds with `tool_calls`\n\n, each call is dispatched against `TOOL_FUNCTIONS`\n\n:\n\n```\nif \"tool_calls\" in message and message[\"tool_calls\"]:\n print(\"[TOOL EXECUTION]\")\n messages.append(message)\n\n num_tools = len(message[\"tool_calls\"])\n for i, tool_call in enumerate(message[\"tool_calls\"]):\n function_name = tool_call[\"function\"][\"name\"]\n arguments = tool_call[\"function\"][\"arguments\"]\n ...\n if function_name in TOOL_FUNCTIONS:\n func = TOOL_FUNCTIONS[function_name]\n try:\n result = func(**arguments)\n ...\n messages.append({\n \"role\": \"tool\",\n \"content\": str(result),\n \"name\": function_name\n })\n```\n\nThe CLI formatting is worth a small tweak for this script. The `execute_python_code`\n\ntool's `code`\n\nargument can be a multi-line string with newlines in it, which will wreck an ASCII tree if printed naively. We flatten and truncate string arguments for the display only; the model still receives the full string when the function runs:\n\n``` python\ndef _short(v):\n if isinstance(v, str):\n flat = v.replace(\"\\n\", \"\\\\n\")\n if len(flat) > 60:\n flat = flat[:57] + \"...\"\n return f\"'{flat}'\"\n return str(v)\n\nargs_str = \", \".join(f\"{k}={_short(v)}\" for k, v in arguments.items())\n```\n\nOnce each tool result is appended back into the message history as a `\"role\": \"tool\"`\n\nentry, we re-call Ollama with the enriched payload and the model produces its grounded final answer. Same two-pass pattern, same logic.\n\n## # Testing the Tools\n\nAnd now we test our tool calling. Pull `gemma4:e2b`\n\nwith `ollama pull gemma4:e2b`\n\nif you have not already, then run the script from a folder you do not mind the model peeking at.\n\nLet's start with the filesystem tool. From the project directory:\n\nWhat scripts are in my current folder, and which one looks like it should be used to process CSVs?\n\nResult:\n\n```\n[SYSTEM]\n ○ Tool: execute_python_code......................[LOADED]\n ○ Tool: list_directory_contents..................[LOADED]\n ○ Workspace: /Users/matt/projects/gemma_agent.....[SANDBOXED]\n\n[PROMPT]\nWhat scripts are in my current folder, and which one looks like it should be used to process CSVs?\n\n[EXECUTION]\n ● Querying model...\n\n[TOOL EXECUTION]\n └── Calling: list_directory_contents\n ├─ Args: path='.'\n └─ Result: Contents of '.' (5 item(s)):\n [FILE] README.md (412 bytes)\n [FILE] csv_cleaner.py (1834 bytes)\n [FILE] main.py (10786 bytes)\n [FILE] notes.txt (88 bytes)\n [FILE] sales_report.py (2210 bytes)\n\n[EXECUTION]\n ● Synthesizing results...\n\n[RESPONSE]\nYour current folder contains five files. The one that looks intended for CSV\nprocessing is csv_cleaner.py — its name strongly suggests it handles CSV input.\nsales_report.py may also touch CSV data, but its name is more about output than\ningestion.\n```\n\nThe model called the tool, looked at the actual filenames, and made a reasonable inference grounded in the listing rather than in its weights. That is the difference between hallucination and observation.\n\nNext, the Python interpreter. A small task that small models reliably get wrong if asked to do it in their head:\n\nWhat is the standard deviation of the numbers 12, 18, 23, 24, 29, 31, 35, 41, 44, 47, rounded to four decimal places?\n\nResult:\n\n```\n[SYSTEM]\n ○ Tool: execute_python_code......................[LOADED]\n ○ Tool: list_directory_contents..................[LOADED]\n ○ Workspace: /Users/matt/projects/gemma_agent.....[SANDBOXED]\n\n[PROMPT]\nWhat is the standard deviation of the numbers 12, 18, 23, 24, 29, 31, 35, 41, 44, 47, rounded to four decimal places?\n\n[EXECUTION]\n ● Querying model...\n\n[TOOL EXECUTION]\n └── Calling: execute_python_code\n ├─ Args: code='nums = [12, 18, 23, 24, 29, 31, 35, 41, 44, 47]\\nprint(rou...'\n └─ Result: Output:\n 11.4659\n\n[EXECUTION]\n ● Synthesizing results...\n\n[RESPONSE]\nThe standard deviation of those numbers, rounded to four decimal places, is 11.4659.\n```\n\nThe model offloaded the calculation entirely; it wrote a snippet, called `statistics.stdev`\n\n, rounded the result, and reported what the interpreter said. No mental arithmetic, no approximation, no fabricated significant digits.\n\nFinally, the more interesting case: a prompt that requires both tools in sequence. The model has to inspect the folder **and** compute something about what it finds:\n\nLook at the files in the current folder and tell me the total size in kilobytes, rounded to two decimal places.\n\nOutput:\n\n```\n[SYSTEM]\n ○ Tool: execute_python_code......................[LOADED]\n ○ Tool: list_directory_contents..................[LOADED]\n ○ Workspace: /Users/matt/projects/gemma_agent.....[SANDBOXED]\n\n[PROMPT]\nLook at the files in the current folder and tell me the total size in kilobytes, rounded to two decimal places.\n\n[EXECUTION]\n ● Querying model...\n\n[TOOL EXECUTION]\n ┌── Calling: list_directory_contents\n │ ├─ Args: path='.'\n │ └─ Result: Contents of '.' (5 item(s)):\n │ [FILE] README.md (412 bytes)\n │ [FILE] csv_cleaner.py (1834 bytes)\n │ [FILE] main.py (10786 bytes)\n │ [FILE] notes.txt (88 bytes)\n │ [FILE] sales_report.py (2210 bytes)\n │\n └── Calling: execute_python_code\n ├─ Args: code='sizes = [412, 1834, 10786, 88, 2210]\\nprint(round(sum(siz...'\n └─ Result: Output:\n 15.33\n\n[EXECUTION]\n ● Synthesizing results...\n\n[RESPONSE]\nThe five files in the current folder total 15.33 KB.\n```\n\nTwo tools, in the right order, with the output of one feeding the argument of the other — produced by a 2-billion-parameter model running on a laptop with no GPU. The filesystem tool grounds the model in what is actually there; the interpreter tool grounds the answer in what is actually true. The model contributes the part it is genuinely good at, which is deciding which question to ask of which tool.\n\nIt is worth poking at the safety guards too, just to confirm they hold. Asking the model \"list the contents of `/etc`\n\n\" produces the expected denial message in the tool result, which the model then reports back gracefully rather than fabricating a directory listing. Asking it to run `open('/etc/passwd').read()`\n\ninside the interpreter produces a `NameError`\n\n, since `open`\n\nis not in the whitelisted builtins. Both failures degrade into useful error strings instead of silent compromises, which is exactly what you want at this layer.\n\n## # Conclusion\n\n[The earlier tutorial](https://machinelearningmastery.com/how-to-implement-tool-calling-with-gemma-4-and-python/) showed that Gemma 4 can reach across the internet on your behalf. This one shows it can reach into the machine you are sitting at, carefully, when you have built the carefulness in. Once you have a working tool-calling loop, the interesting question stops being \"can the model call a function\" and starts being \"what should I let it touch.\"\n\nA filesystem-aware tool and a code-execution tool together get you most of the way to something that genuinely earns the term **agent**: it can observe its environment, decide what calculation matters, and run that calculation deterministically rather than guessing. The pattern generalizes from there. Database queries, shell commands, git operations, document parsing; each one of these is the same JSON schema, the same dispatch table, the same two-pass synthesis, with whatever safety perimeter is appropriate for the blast radius of the underlying call.\n\nBuild the perimeter first. Then hand the model the keys to whatever sits inside it.\n\n(\n\n[Matthew Mayo](https://www.kdnuggets.com/wp-content/uploads/./profile-pic.jpg)\n\n[) holds a master's degree in computer science and a graduate diploma in data mining. As managing editor of](https://twitter.com/mattmayo13)\n\n**@mattmayo13**[KDnuggets](https://www.kdnuggets.com/)&\n\n[Statology](https://www.statology.org/), and contributing editor at\n\n[Machine Learning Mastery](https://machinelearningmastery.com/), Matthew aims to make complex data science concepts accessible. His professional interests include natural language processing, language models, machine learning algorithms, and exploring emerging AI. He is driven by a mission to democratize knowledge in the data science community. Matthew has been coding since he was 6 years old.", "url": "https://wpnews.pro/news/easy-agentic-tool-calling-with-gemma-4", "canonical_source": "https://www.kdnuggets.com/easy-agentic-tool-calling-with-gemma-4", "published_at": "2026-05-22 12:00:22+00:00", "updated_at": "2026-05-26 13:47:00.612543+00:00", "lang": "en", "topics": ["artificial-intelligence", "machine-learning", "large-language-models", "ai-agents", "ai-tools"], "entities": ["Gemma 4", "Machine Learning Mastery", "Python"], "alternates": {"html": "https://wpnews.pro/news/easy-agentic-tool-calling-with-gemma-4", "markdown": "https://wpnews.pro/news/easy-agentic-tool-calling-with-gemma-4.md", "text": "https://wpnews.pro/news/easy-agentic-tool-calling-with-gemma-4.txt", "jsonld": "https://wpnews.pro/news/easy-agentic-tool-calling-with-gemma-4.jsonld"}}