Summary
Several network policy entries in openclaw-sandbox.yaml use method: "*" wildcard rules, allowing all HTTP methods to their respective APIs. The agent only needs POST for inference and telemetry, but the wildcard also permits DELETE, PUT, and PATCH — which map to destructive management operations on these same API hosts.
Affected endpoints and real risk per host
integrate.api.nvidia.com / inference-api.nvidia.com (NVIDIA)
What the agent needs: POST /v1/chat/completions
What the wildcard also allows:
DELETE /v2/nvcf/assets/{assetId} — delete Cloud Functions assetsDELETE /v2/nvcf/deployments/functions/{functionId}/versions/{versionId} — delete function deployments
The NVIDIA API key used for inference may also grant access to Cloud Functions management endpoints on the same host. A misaligned agent could delete deployed functions or assets from the operator's NVIDIA account.
api.anthropic.com (Anthropic)
What the agent needs: POST /v1/messages
What the wildcard also allows:
DELETE /v1/files/{file_id} — delete files from the Anthropic accountDELETE /v1/skills/{skill_id} — delete custom skills
The Anthropic API key used for inference also authenticates these management endpoints. A compromised agent could delete files or skills stored in the operator's Anthropic account.
sentry.io (Sentry error reporting)
What the agent needs: POST to Sentry ingest endpoints for error telemetry.
What the wildcard also allows:
DELETE /api/0/organizations/{org}/issues/ — bulk remove all issuesDELETE /api/0/projects/{org}/{project}/ — delete an entire projectDELETE /api/0/organizations/{org}/detectors/ — bulk delete monitors
If the Sentry auth token embedded in Claude Code has management scopes (which error reporting SDKs sometimes include), a compromised agent could delete projects, wipe issue history, or remove monitoring.
statsig.anthropic.com (Statsig telemetry)
Lowest risk — feature flag / analytics telemetry. The wildcard is unnecessary (only POST is needed for telemetry ingest) but the blast radius is limited.
Additional issue: missing L7 enforcement on two entries
statsig.anthropic.com and sentry.io have rules but lack protocol: rest and enforcement: enforce:
# Current — rules exist but L7 inspection is not activated
- host: statsig.anthropic.com
port: 443
rules:
- allow: { method: "*", path: "/**" }
- host: sentry.io
port: 443
rules:
- allow: { method: "*", path: "/**" }Without protocol: rest, the rules are not evaluated at the HTTP level — the same issue as #1111. These entries should have protocol: rest and enforcement: enforce for the method/path rules to be enforced.
Suggested fix
Restrict each endpoint to the minimum HTTP methods and paths required:
claude_code:
name: claude_code
endpoints:
- host: api.anthropic.com
port: 443
protocol: rest
enforcement: enforce
rules:
- allow: { method: POST, path: "/v1/messages" }
- allow: { method: POST, path: "/v1/messages/batches" }
- host: statsig.anthropic.com
port: 443
protocol: rest
enforcement: enforce
rules:
- allow: { method: POST, path: "/**" }
- host: sentry.io
port: 443
protocol: rest
enforcement: enforce
rules:
- allow: { method: POST, path: "/api/*/envelope/**" }
- allow: { method: POST, path: "/api/*/store/**" }
binaries:
- { path: /usr/local/bin/claude }
nvidia:
name: nvidia
endpoints:
- host: integrate.api.nvidia.com
port: 443
protocol: rest
enforcement: enforce
rules:
- allow: { method: POST, path: "/v1/chat/completions" }
- allow: { method: POST, path: "/v1/completions" }
- allow: { method: POST, path: "/v1/embeddings" }
- allow: { method: GET, path: "/v1/models" }
- allow: { method: GET, path: "/v1/models/**" }
- host: inference-api.nvidia.com
port: 443
protocol: rest
enforcement: enforce
rules:
- allow: { method: POST, path: "/v1/chat/completions" }
- allow: { method: POST, path: "/v1/completions" }
- allow: { method: GET, path: "/v1/models" }
binaries:
- { path: /usr/local/bin/claude }
- { path: /usr/local/bin/openclaw }The exact paths may need tuning based on which API versions OpenClaw uses, but the principle is: POST to inference paths, GET to model listing, nothing else. No DELETE, no Cloud Functions management, no file/skill deletion.
Context
The policy file's own header states: "Principle: deny by default, allow only what's needed for core functionality." The wildcard method rules are the opposite of that principle — they allow everything and rely on the API key's scopes for access control, which is the provider's concern, not a security boundary the operator controls.
Summary
Several network policy entries in
openclaw-sandbox.yamlusemethod: "*"wildcard rules, allowing all HTTP methods to their respective APIs. The agent only needsPOSTfor inference and telemetry, but the wildcard also permitsDELETE,PUT, andPATCH— which map to destructive management operations on these same API hosts.Affected endpoints and real risk per host
integrate.api.nvidia.com/inference-api.nvidia.com(NVIDIA)What the agent needs:
POST /v1/chat/completionsWhat the wildcard also allows:
DELETE /v2/nvcf/assets/{assetId}— delete Cloud Functions assetsDELETE /v2/nvcf/deployments/functions/{functionId}/versions/{versionId}— delete function deploymentsThe NVIDIA API key used for inference may also grant access to Cloud Functions management endpoints on the same host. A misaligned agent could delete deployed functions or assets from the operator's NVIDIA account.
api.anthropic.com(Anthropic)What the agent needs:
POST /v1/messagesWhat the wildcard also allows:
DELETE /v1/files/{file_id}— delete files from the Anthropic accountDELETE /v1/skills/{skill_id}— delete custom skillsThe Anthropic API key used for inference also authenticates these management endpoints. A compromised agent could delete files or skills stored in the operator's Anthropic account.
sentry.io(Sentry error reporting)What the agent needs:
POSTto Sentry ingest endpoints for error telemetry.What the wildcard also allows:
DELETE /api/0/organizations/{org}/issues/— bulk remove all issuesDELETE /api/0/projects/{org}/{project}/— delete an entire projectDELETE /api/0/organizations/{org}/detectors/— bulk delete monitorsIf the Sentry auth token embedded in Claude Code has management scopes (which error reporting SDKs sometimes include), a compromised agent could delete projects, wipe issue history, or remove monitoring.
statsig.anthropic.com(Statsig telemetry)Lowest risk — feature flag / analytics telemetry. The wildcard is unnecessary (only
POSTis needed for telemetry ingest) but the blast radius is limited.Additional issue: missing L7 enforcement on two entries
statsig.anthropic.comandsentry.iohaverulesbut lackprotocol: restandenforcement: enforce:Without
protocol: rest, the rules are not evaluated at the HTTP level — the same issue as #1111. These entries should haveprotocol: restandenforcement: enforcefor the method/path rules to be enforced.Suggested fix
Restrict each endpoint to the minimum HTTP methods and paths required:
The exact paths may need tuning based on which API versions OpenClaw uses, but the principle is:
POSTto inference paths,GETto model listing, nothing else. NoDELETE, no Cloud Functions management, no file/skill deletion.Context
The policy file's own header states: "Principle: deny by default, allow only what's needed for core functionality." The wildcard method rules are the opposite of that principle — they allow everything and rely on the API key's scopes for access control, which is the provider's concern, not a security boundary the operator controls.