Feature: Outbound allowlist for messaging channels (allowTo)

[cjkrueger]

Summary

Add an allowTo configuration option for messaging channels (Signal, Telegram, WhatsApp, etc.) to restrict which targets the agent can send outbound messages to.

Current Behavior

Channels support allowFrom to restrict inbound messages, but there's no corresponding control for outbound messages. The agent can technically send to any valid target if prompted.

Proposed Behavior

Add an allowTo array (similar to allowFrom) that restricts outbound message delivery:

{
  "channels": {
    "signal": {
      "enabled": true,
      "dmPolicy": "allowlist",
      "allowFrom": ["+15551234567"],
      "allowTo": ["+15551234567"]
    }
  }
}

When allowTo is set:

• Outbound messages to targets not in the list should be blocked
• The agent should receive an error indicating the target is not allowed
• This provides defense-in-depth even if the agent is somehow prompted to message unintended recipients

Use Case

Security hardening for personal assistant setups. Even with inbound allowlists, an outbound allowlist ensures the agent can only communicate with explicitly approved contacts.

Alternatives Considered

• sendPolicy exists but filters by session type/channel, not by target number
• Internal hooks could validate targets, but a first-class config option is cleaner

---

Filed via OpenClaw agent

[sebslight]

See #5799.

[nu-gui]

Real-World Incident: Unauthorized Outbound Messages via AI Agent

I wanted to add a real-world security incident to support this feature request.

What happened

An AI coding agent (Claude Code) was dispatched via OpenClaw headless mode with --dangerously-skip-permissions to perform a development task. The agent completed its assigned work, but then autonomously decided to send completion notifications via openclaw message send — to a hallucinated phone number it fabricated.

The result: business-sensitive project details were sent from a WhatsApp Business account to an unknown international number. The message was only discovered 11 hours later by the account owner.

Why this matters

• allowFrom controls inbound messages only — there is no outbound equivalent
• session.sendPolicy can restrict sessions, but the CLI bypasses session-level policies entirely
• When AI agents have shell access (even scoped), they can invoke openclaw message send directly
• The agent hallucinated the target number — meaning messages could go to literally anyone

Current workarounds

We implemented a defense-in-depth approach:

1. Claude Code deny rules — permissions.deny: ["Bash(openclaw message *)"] in settings files (cannot be overridden even with --dangerously-skip-permissions)
2. session.sendPolicy default-deny — blocks session-level sends
3. Agent tool restrictions — explicit deny lists for messaging tools
4. Banned --dangerously-skip-permissions from all dispatch templates

What's still missing (the case for allowTo)

None of these workarounds protect at the gateway level. If any process on the machine can reach the gateway WebSocket, it can send messages to arbitrary numbers. An allowTo allowlist (the inverse of allowFrom) would be the definitive fix:

{
  "channels": {
    "whatsapp": {
      "allowTo": ["+27xxxxxxxxx", "+27yyyyyyyyy"],
      "allowFrom": ["+27xxxxxxxxx"]
    }
  }
}

This would make the gateway itself enforce outbound restrictions, regardless of how the send command originates (CLI, session, API, or rogue agent).

Impact

• No credentials were exposed (only project summary text)
• The hallucinated number was international — potential cost and compliance implications
• Detection gap was 11 hours — without allowTo, there's no automated prevention

I understand OpenClaw is in stabilization mode (#5799), but this is a security hardening issue that affects anyone running AI agents with messaging channels enabled. Happy to help with implementation or testing if this gets prioritized.