[Security]: security audit does not flag missing web_fetch URL allowlist

### Bug type
Missing check
### Summary
`openclaw security audit` does not check whether a URL allowlist is
configured for the web_fetch tool. Without one, an attacker who achieves
prompt injection can exfiltrate data to any external URL (T-EXFIL-001).
The SSRF guard blocks internal networks but permits all external URLs.
### Expected behavior
[warn] tools.web_fetch.no_url_allowlist — web_fetch has no outbound URL restrictions

### Actual behavior
No finding is emitted.
### OpenClaw version
Latest
### Operating system
All

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

[Security]: security audit does not flag missing web_fetch URL allowlist #19

Bug type

Summary

Expected behavior

Actual behavior

OpenClaw version

Operating system

Metadata

Assignees

Labels

Type

Fields

Projects

Milestone

Relationships

Development

Uh oh!

[Security]: security audit does not flag missing web_fetch URL allowlist #19

Description

Bug type

Summary

Expected behavior

Actual behavior

OpenClaw version

Operating system

Metadata

Metadata

Assignees

Labels

Type

Fields

Projects

Milestone

Relationships

Development

Issue actions