fix(security): remove pre-allowed messaging from base sandbox policy (#1705)

ericksoa · web-flow · commit 77051cc807b9 · 2026-04-09T12:58:39.000-07:00
## Summary

- Removed Telegram (`api.telegram.org`) and Discord (`discord.com`,
`gateway.discord.gg`, `cdn.discordapp.com`) from the base sandbox
network policy
- These endpoints gave every sandboxed agent default access to external
messaging APIs without user opt-in — a data exfiltration vector
- Users who configure messaging tokens during onboarding already get
connectivity via the existing preset system (`presets/telegram.yaml`,
`presets/discord.yaml`), which is applied automatically when tokens are
detected

## Test plan

- [x] Full vitest suite passes (1243 tests, 0 failures)
- [x] Base policy YAML parses correctly
- [x] No telegram/discord references remain in base policy
- [ ] E2E: verify messaging preset auto-application when tokens are
present

&lt;!-- This is an auto-generated comment: release notes by coderabbit.ai
--&gt;

## Summary by CodeRabbit

* **Chores**
* Removed Telegram API endpoint from baseline network allow-list
policies
* Removed Discord API endpoints (REST and WebSocket gateway) from
sandbox network policies
* Updated network policy documentation to reflect removed endpoint
groups

&lt;!-- end of auto-generated comment: release notes by coderabbit.ai --&gt;

Signed-off-by: Aaron Erickson &lt;aerickson@nvidia.com&gt;
diff --git a/.agents/skills/nemoclaw-user-reference/references/network-policies.md b/.agents/skills/nemoclaw-user-reference/references/network-policies.md
@@ -73,11 +73,6 @@ The following endpoint groups are allowed by default:
   - `/usr/local/bin/openclaw`, `/usr/local/bin/npm`, `/usr/local/bin/node`
   - All methods, all paths
 
-* - `telegram`
-  - `api.telegram.org:443`
-  - Any binary
-  - GET, POST on `/bot*/**`
-
 :::
 
 All endpoints use TLS termination and are enforced at port 443.
diff --git a/docs/reference/network-policies.md b/docs/reference/network-policies.md
@@ -93,11 +93,6 @@ The following endpoint groups are allowed by default:
   - `/usr/local/bin/openclaw`, `/usr/local/bin/npm`, `/usr/local/bin/node`
   - All methods, all paths
 
-* - `telegram`
-  - `api.telegram.org:443`
-  - Any binary
-  - GET, POST on `/bot*/**`
-
 :::
 
 All endpoints use TLS termination and are enforced at port 443.
diff --git a/nemoclaw-blueprint/policies/openclaw-sandbox.yaml b/nemoclaw-blueprint/policies/openclaw-sandbox.yaml
@@ -207,49 +207,3 @@ network_policies:
       - { path: /usr/local/bin/openclaw }
       - { path: /usr/local/bin/npm }
       - { path: /usr/local/bin/node }
-
-  # ── Messaging — pre-allowed for OpenClaw agent notifications ────
-  # Restricted to node processes to prevent arbitrary data exfiltration
-  # via curl, wget, python, etc. (See: #272)
-  telegram:
-    name: telegram
-    endpoints:
-      - host: api.telegram.org
-        port: 443
-        protocol: rest
-        enforcement: enforce
-        tls: terminate
-        rules:
-          - allow: { method: GET, path: "/bot*/**" }
-          - allow: { method: POST, path: "/bot*/**" }
-          - allow: { method: GET, path: "/file/bot*/**" }
-    binaries:
-      - { path: /usr/local/bin/node }
-
-  discord:
-    name: discord
-    endpoints:
-      - host: discord.com
-        port: 443
-        protocol: rest
-        enforcement: enforce
-        tls: terminate
-        rules:
-          - allow: { method: GET, path: "/**" }
-          - allow: { method: POST, path: "/**" }
-      # WebSocket gateway — must use access: full (CONNECT tunnel) instead
-      # of protocol: rest. The proxy's HTTP idle timeout (~2 min) kills
-      # long-lived WebSocket connections; a CONNECT tunnel avoids
-      # HTTP-level timeouts entirely. Matches presets/discord.yaml. See #409.
-      - host: gateway.discord.gg
-        port: 443
-        access: full
-      - host: cdn.discordapp.com
-        port: 443
-        protocol: rest
-        enforcement: enforce
-        tls: terminate
-        rules:
-          - allow: { method: GET, path: "/**" }
-    binaries:
-      - { path: /usr/local/bin/node }
