Description
The permissive sandbox policies currently include a claude_code network policy block that grants direct access to Claude Code-related hosts:
api.anthropic.comstatsig.anthropic.comsentry.io
The rule uses access: full and binaries: [{ path: "/**" }], so any binary inside a sandbox using the permissive policy can reach those endpoints.
The broad access: full behavior is expected for shields down / permissive mode and is documented as unsafe for production. However, Claude Code is a separate optional tool, and these endpoints are included even when the user did not opt into Claude Code usage.
This appears in more than the global policy. src/lib/policy/index.ts resolves agent-specific permissive policies first, so the duplicated blocks in agents/openclaw/policy-permissive.yaml and agents/hermes/policy-permissive.yaml are also affected.
Expected behavior:
Claude Code-specific hosts should not be included in permissive policies by default. They should live in an explicit claude-code preset that users apply only when they intentionally install/run Claude Code inside the sandbox.
Reproduction Steps
- Inspect
nemoclaw-blueprint/policies/openclaw-sandbox-permissive.yaml.
- Locate
network_policies.claude_code.
- Observe that it allows:
api.anthropic.comstatsig.anthropic.comsentry.io
- Observe that the policy uses:
access: fullbinaries: [{ path: "/**" }]
- Repeat the same inspection for:
agents/openclaw/policy-permissive.yamlagents/hermes/policy-permissive.yaml
- Confirm that
src/lib/policy/index.ts resolves agent-specific permissive policies before falling back to the global permissive policy.
Environment
- OS: Not runtime-specific
- Node.js: Not runtime-specific
- Docker: Not runtime-specific
- NemoClaw: current main branch / source checkout
Debug Output
Not applicable. This is a static policy configuration issue.
Logs
Relevant paths:
- `nemoclaw-blueprint/policies/openclaw-sandbox-permissive.yaml`
- `agents/openclaw/policy-permissive.yaml`
- `agents/hermes/policy-permissive.yaml`
- `src/lib/policy/index.ts`
Checklist
Description
The permissive sandbox policies currently include a
claude_codenetwork policy block that grants direct access to Claude Code-related hosts:api.anthropic.comstatsig.anthropic.comsentry.ioThe rule uses
access: fullandbinaries: [{ path: "/**" }], so any binary inside a sandbox using the permissive policy can reach those endpoints.The broad
access: fullbehavior is expected forshields down/ permissive mode and is documented as unsafe for production. However, Claude Code is a separate optional tool, and these endpoints are included even when the user did not opt into Claude Code usage.This appears in more than the global policy.
src/lib/policy/index.tsresolves agent-specific permissive policies first, so the duplicated blocks inagents/openclaw/policy-permissive.yamlandagents/hermes/policy-permissive.yamlare also affected.Expected behavior:
Claude Code-specific hosts should not be included in permissive policies by default. They should live in an explicit
claude-codepreset that users apply only when they intentionally install/run Claude Code inside the sandbox.Reproduction Steps
nemoclaw-blueprint/policies/openclaw-sandbox-permissive.yaml.network_policies.claude_code.api.anthropic.comstatsig.anthropic.comsentry.ioaccess: fullbinaries: [{ path: "/**" }]agents/openclaw/policy-permissive.yamlagents/hermes/policy-permissive.yamlsrc/lib/policy/index.tsresolves agent-specific permissive policies before falling back to the global permissive policy.Environment
Debug Output
Logs
Checklist