Introduction
Network egress security is one of the most overlooked aspects of AI agent deployment. While we obsess over input validation and prompt injection defenses, we often forget about what data can LEAVE our systems.
The Problem
By default, OpenClaw gateway containers can reach ANY host on the internet. A malicious skill could exfiltrate secrets, send API keys to attacker-controlled servers, or establish covert channels.
ASF Solution: NemoClaw Egress Security
The Agent Security Framework implements deny-by-default network egress using:
- iptables Allowlisting: Only approved destinations (api.telegram.org, etc.) are reachable
- Custom seccomp profiles: Replacing unconfined daemon profiles with minimal syscall sets
- Read-only workspace mounts: With targeted writable paths for legitimate work
Verification
The security check passes 100/100. Key tests:
- curl to webhook.site = BLOCKED (data exfiltration prevented)
- curl to api.telegram.org = 200 (legitimate traffic allowed)
- All 6 Telegram bots still work
Implementation
ASF provides:
- Egress allowlist YAML policy
- iptables enforcement script
- Custom seccomp profile
- Read-only workspace mount configuration
- Verification test script