fix(policy): restrict baseline npm_registry to openclaw binary only (#1700)

BenediktSchackenberg · cv · web-flow · commit 855924fd0e42 · 2026-04-14T10:56:52.000-07:00
## Problem With 'none' policy selected during onboard, `npm install` still succeeded because the baseline policy (`openclaw-sandbox.yaml`) included `/usr/local/bin/npm` and `/usr/local/bin/node` in the `npm_registry` binaries list. This bypassed the user's intent of no external network access. The baseline `npm_registry` entry exists solely for `openclaw plugins install` — not for agent-driven npm usage. Any sandbox with 'none' preset should block npm from the agent. ## Fix Removed `/usr/local/bin/npm` and `/usr/local/bin/node` from the baseline `npm_registry` binaries list. Only `/usr/local/bin/openclaw` retains access to `registry.npmjs.org` by default. Users who need npm/node network access in the sandbox should add the `npm` preset during onboard or afterwards via `nemoclaw policy`. ## Testing - `nemoclaw onboard` with no policy presets → `npm install` should now be blocked (403 Forbidden from proxy) - `openclaw plugins install <plugin>` should still work (uses the openclaw binary) - `nemoclaw onboard` with npm preset → `npm install` still works as expected Fixes #1458 Signed-off-by: Benedikt Schackenberg <6381261+BenediktSchackenberg@users.noreply.github.com>  ## Summary by CodeRabbit * **New Features** * Added network policy entries to enable controlled Telegram and Discord messaging access. * **Chores** * Restricted registry access so only the plugin installer retains direct registry rights; npm/node are no longer allowed by default and require a separate preset. * **Documentation** * Updated network policy docs to reflect stricter allowed binaries and GET-only registry requests. * **Tests** * Added a regression test to enforce the registry access whitelist.  --------- Signed-off-by: Benedikt Schackenberg <6381261+BenediktSchackenberg@users.noreply.github.com> Co-authored-by: Carlos Villela <cvillela@nvidia.com>
diff --git a/.agents/skills/nemoclaw-user-reference/references/network-policies.md b/.agents/skills/nemoclaw-user-reference/references/network-policies.md
@@ -60,7 +60,7 @@ The following endpoint groups are allowed by default:
 
 * - `npm_registry`
   - `registry.npmjs.org:443`
-  - `/usr/local/bin/openclaw`, `/usr/local/bin/npm`, `/usr/local/bin/node`
+  - `/usr/local/bin/openclaw` only (openclaw plugins install)
   - GET only
 
 :::
diff --git a/docs/reference/network-policies.md b/docs/reference/network-policies.md
@@ -80,7 +80,7 @@ The following endpoint groups are allowed by default:
 
 * - `npm_registry`
   - `registry.npmjs.org:443`
-  - `/usr/local/bin/openclaw`, `/usr/local/bin/npm`, `/usr/local/bin/node`
+  - `/usr/local/bin/openclaw` only (openclaw plugins install)
   - GET only
 
 :::
diff --git a/nemoclaw-blueprint/policies/openclaw-sandbox.yaml b/nemoclaw-blueprint/policies/openclaw-sandbox.yaml
@@ -196,8 +196,10 @@ network_policies:
     binaries:
       - { path: /usr/local/bin/openclaw }
 
-  # npm registry — needed for `openclaw plugins install` and `npm install`.
-  # Read-only: agents only fetch packages, never publish.
+  # npm registry — needed for `openclaw plugins install` only.
+  # Restricted to the openclaw binary so agents cannot use npm directly.
+  # Users who need npm/node access should add the npm policy preset during onboard.
+  # Ref: https://github.com/NVIDIA/NemoClaw/issues/1458
   npm_registry:
     name: npm_registry
     endpoints:
@@ -210,5 +212,49 @@ network_policies:
           - allow: { method: GET, path: "/**" }
     binaries:
       - { path: /usr/local/bin/openclaw }
-      - { path: /usr/local/bin/npm }
+
+  # ── Messaging — pre-allowed for OpenClaw agent notifications ────
+  # Restricted to node processes to prevent arbitrary data exfiltration
+  # via curl, wget, python, etc. (See: #272)
+  telegram:
+    name: telegram
+    endpoints:
+      - host: api.telegram.org
+        port: 443
+        protocol: rest
+        enforcement: enforce
+        tls: terminate
+        rules:
+          - allow: { method: GET, path: "/bot*/**" }
+          - allow: { method: POST, path: "/bot*/**" }
+          - allow: { method: GET, path: "/file/bot*/**" }
+    binaries:
+      - { path: /usr/local/bin/node }
+
+  discord:
+    name: discord
+    endpoints:
+      - host: discord.com
+        port: 443
+        protocol: rest
+        enforcement: enforce
+        tls: terminate
+        rules:
+          - allow: { method: GET, path: "/**" }
+          - allow: { method: POST, path: "/**" }
+      # WebSocket gateway — must use access: full (CONNECT tunnel) instead
+      # of protocol: rest. The proxy's HTTP idle timeout (~2 min) kills
+      # long-lived WebSocket connections; a CONNECT tunnel avoids
+      # HTTP-level timeouts entirely. Matches presets/discord.yaml. See #409.
+      - host: gateway.discord.gg
+        port: 443
+        access: full
+      - host: cdn.discordapp.com
+        port: 443
+        protocol: rest
+        enforcement: enforce
+        tls: terminate
+        rules:
+          - allow: { method: GET, path: "/**" }
+    binaries:
       - { path: /usr/local/bin/node }
diff --git a/test/validate-blueprint.test.ts b/test/validate-blueprint.test.ts
@@ -253,6 +253,19 @@ describe("base sandbox policy", () => {
     );
     expect(githubHosts).toEqual([]);
   });
+
+  it("regression #1458: baseline npm_registry must not include npm or node binaries", () => {
+    const np = policy.network_policies as Record<string, Record<string, unknown>>;
+    const npmRegistry = np.npm_registry;
+    expect(npmRegistry).toBeDefined();
+    const binaries = npmRegistry.binaries as Array<{ path: string }> | undefined;
+    expect(Array.isArray(binaries)).toBe(true);
+    const paths = (binaries ?? []).map((b) => b.path).sort();
+    // Only openclaw CLI should reach the npm registry by default.
+    // npm/node being in this list lets the agent bypass 'none' policy preset.
+    // Exact allowlist — adding any binary here requires a deliberate review.
+    expect(paths).toEqual(["/usr/local/bin/openclaw"]);
+  });
 });
 
 describe("github preset", () => {
