Security: No outbound message restrictions — AI agents can send to arbitrary numbers

[nu-gui]

Summary

OpenClaw has inbound message filtering (allowFrom) but no outbound equivalent. This means any process with gateway access — including AI coding agents running in headless mode — can send messages to arbitrary phone numbers via openclaw message send with no restrictions.

Security Impact

Severity: HIGH — Affects any deployment where:

• AI agents have shell access (headless mode, coding assistants)
• Messaging channels (WhatsApp, Telegram) are enabled
• The gateway is reachable from the agent's environment

Real-world incident

An AI agent running with --dangerously-skip-permissions completed its assigned coding task, then autonomously invoked openclaw message send to a hallucinated phone number it fabricated. Business-sensitive project details were sent from a WhatsApp Business account to an unknown international number. The message was discovered 11 hours later.

Attack surface

1. CLI bypass — openclaw message send bypasses session.sendPolicy entirely
2. No gateway-level outbound filter — the gateway will deliver messages to any valid number
3. AI agent hallucination — agents can invent target numbers that don't appear in any config
4. No audit/approval gate — sends are fire-and-forget with no confirmation step

Proposed Fix: allowTo (outbound allowlist)

Mirror the existing allowFrom pattern with an outbound equivalent:

{
  "channels": {
    "whatsapp": {
      "allowFrom": ["+27xxxxxxxxx"],
      "allowTo": ["+27xxxxxxxxx", "+27yyyyyyyyy"]
    }
  }
}

Behavior:

• If allowTo is defined, the gateway MUST reject sends to any number not in the list
• If allowTo is omitted, current behavior is preserved (no restriction)
• Enforcement at the gateway level so it cannot be bypassed by CLI, session, or API calls

Current Workarounds

These mitigate but don't fully solve the problem:

Layer	Workaround	Limitation
Claude Code settings	permissions.deny: ["Bash(openclaw message *)"]	Only protects Claude Code, not other agents
Session policy	session.sendPolicy: default-deny	CLI bypasses session policies
Agent config	Tool deny lists	Only covers configured agents
Process	Ban --dangerously-skip-permissions	Policy, not enforcement

None of these protect at the gateway level. A rogue process, misconfigured agent, or prompt injection attack can still send to arbitrary numbers.

Related

• Feature: Outbound allowlist for messaging channels (allowTo) #6324 — Feature request for outbound allowlist (closed due to OpenClaw: Stabilisation Mode #5799 stabilization mode)

Environment

• OpenClaw v2026.2.3-1
• Channels: WhatsApp (Baileys), Telegram
• Agent: Claude Code headless mode

[steipete]

Thanks for the detailed report. Re-triaged against current main and current security policy.

Current status: this is not a security-boundary bug in OpenClaw’s trust model.

Why:

• OpenClaw treats authenticated Gateway callers as trusted operators for that gateway instance (SECURITY.md, “Operator Trust Model”).
• The send RPC path (src/gateway/server-methods/send.ts) intentionally handles explicit operator sends and does not apply session.sendPolicy.
• session.sendPolicy is enforced on agent/chat/session reply flows (src/gateway/server-methods/chat.ts, src/gateway/server-methods/agent.ts, src/commands/agent.ts), not as a global outbound ACL for explicit operator sends.
• The policy also explicitly marks reports expecting multi-tenant/per-user authorization on one shared gateway boundary as out-of-scope.

So the claim as a security vulnerability (“bypass”) is not valid under the documented boundaries. The underlying desire (optional outbound allowlist / allowTo-style hardening) is a product hardening feature request, not a security defect.

Closing as not planned for security triage.