[Feature]: Add tools.web.fetch.allowPrivateNetwork to allow private network access

[alokemajumder]

Summary

Add an opt-in tools.web.fetch.allowPrivateNetwork config key (boolean, default false) so web_fetch can reach private/internal network addresses when explicitly enabled.

Problem to solve

web_fetch blocks all private/internal network addresses (localhost, 10.x, 192.168.x, 172.16-31.x) via the SSRF guard. There is no config-level way to opt in to private network access for web_fetch.

This blocks agent architectures where agents need to call a local service via web_fetch:

[security] blocked URL fetch (url-fetch) target=http://127.0.0.1:9090/api/...
reason=Blocked hostname or private/internal/special-use IP address

The ToolsWebFetchSchema in zod-schema.agent-runtime.ts uses .strict(), so users cannot add custom keys — this requires an upstream schema change.

Proposed solution

Add allowPrivateNetwork (boolean, optional, default false) to ToolsWebFetchSchema. When true, pass policy: { allowPrivateNetwork: true } to fetchWithSsrFGuard.

"tools": {
  "web": {
    "fetch": { "enabled": true, "allowPrivateNetwork": true }
  }
}

The internal mechanism already exists — withTrustedWebToolsEndpoint() in web-guarded-fetch.ts passes { dangerouslyAllowPrivateNetwork: true } to the SSRF guard. This feature request is about exposing that capability to web_fetch via config.

Impact

• Affected: Deployments where agents call local/internal services via web_fetch (multi-agent pipelines, local API callbacks, internal documentation)
• Severity: Blocks workflow — agents cannot reach local services, pipeline stalls
• Frequency: Every agent session that needs localhost/private network access
• Consequence: No config-level workaround exists due to .strict() schema validation

Evidence/examples

The allowPrivateNetwork pattern is already established in the codebase:

• Browser tool: browser.ssrfPolicy.allowPrivateNetwork — defaults to true (trusted-network mode) in src/browser/config.ts
• Tlon extension: channels.tlon.allowPrivateNetwork in extensions/tlon/src/config-schema.ts
• Media providers: allowPrivateNetwork passed through in src/media-understanding/providers/deepgram/audio.ts
• Internal runtime: WEB_TOOLS_TRUSTED_NETWORK_SSRF_POLICY in src/agents/tools/web-guarded-fetch.ts already sets dangerouslyAllowPrivateNetwork: true for trusted endpoints

web_fetch is the only tool surface that does not expose this opt-in to config.

Additional information

• Default false — no change to existing behavior or security posture
• Follows the same pattern as three existing allowPrivateNetwork implementations in the codebase
• The operator who sets this config controls agent execution — same trust model as the browser tool's default-true behavior

[king123-sys]

I am also experiencing the same web_fetch blocking issue. Multiple websites (GitHub, NPM, OpenClaw docs, ClawHub) all return: Blocked: resolves to private/internal/special-use IP address. My network can access these sites normally (browser tool successfully accessed official docs). Tried switching networks (Wi-Fi hotspots), issue persists in current session, but web_search works fine. Please consider this case in PR #39630 and increase priority. This issue may affect more users. Thanks!

[nikopuf]

I am also experiencing the same web_fetch blocking issue. Multiple websites such as GitHub, NPM, OpenClaw docs, and ClawHub return the following error:

Blocked: resolves to private/internal IP address.

However, my network can access these websites normally through a browser, and even the browser tool was able to access the official documentation successfully.

It would be great if this case could also be considered in PR #39630, and the priority increased if possible, as this might affect more users.

Thanks!

[bsimms46x]

For me it told me it couldn't/wasn't allowed access github however adding instructions on using github in TOOLS.md resolves that. for web_fetch I have the same issue when i tell it to access resources on the local network however it will access these things if i tell it to use curl instead. seems a bit ridiculous if you ask me...

[bouslama-hamza]

Fix (temporary patch): The official tools.web.fetch.allowPrivateNetwork config key exists in OpenClaw's source (PR #24427) but is not yet released. We patched the SSRF module directly:

File: node_modules/openclaw/dist/ssrf-BdAu1_OT.js

// Before:
function isPrivateNetworkAllowedByPolicy(policy) {
    return policy?.dangerouslyAllowPrivateNetwork === true || policy?.allowPrivateNetwork === true;
}
const BLOCKED_HOSTNAMES = new Set(["localhost", "localhost.localdomain", "metadata.google.internal"]);

// After:
function isPrivateNetworkAllowedByPolicy(policy) {
    return true;
}
const BLOCKED_HOSTNAMES = new Set(["metadata.google.internal"]);

[seitzbg]

I'm also seeing this issue. Can it please be merged ?

[openclaw-barnacle]

This issue has been automatically marked as stale due to inactivity.
Please add updates or it will be closed.

[garyd9]

Just adding a "me too." Seeing so many great PR's getting dropped and closed due to inactivity.