Inference and telemetry policies allow all HTTP methods — wildcard rules permit destructive API operations #1113
Description
Summary
Several network policy entries in openclaw-sandbox.yaml use method: "*" wildcard rules, allowing all HTTP methods to their respective APIs. The agent only needs POST for inference and telemetry, but the wildcard also permits DELETE, PUT, and PATCH — which map to destructive management operations on these same API hosts.
Affected endpoints and real risk per host
integrate.api.nvidia.com / inference-api.nvidia.com (NVIDIA)
What the agent needs: POST /v1/chat/completions
What the wildcard also allows:
DELETE /v2/nvcf/assets/{assetId}— delete Cloud Functions assetsDELETE /v2/nvcf/deployments/functions/{functionId}/versions/{versionId}— delete function deployments
The NVIDIA API key used for inference may also grant access to Cloud Functions management endpoints on the same host. A misaligned agent could delete deployed functions or assets from the operator's NVIDIA account.
api.anthropic.com (Anthropic)
What the agent needs: POST /v1/messages
What the wildcard also allows:
DELETE /v1/files/{file_id}— delete files from the Anthropic accountDELETE /v1/skills/{skill_id}— delete custom skills
The Anthropic API key used for inference also authenticates these management endpoints. A compromised agent could delete files or skills stored in the operator's Anthropic account.
sentry.io (Sentry error reporting)
What the agent needs: POST to Sentry ingest endpoints for error telemetry.
What the wildcard also allows:
DELETE /api/0/organizations/{org}/issues/— bulk remove all issuesDELETE /api/0/projects/{org}/{project}/— delete an entire projectDELETE /api/0/organizations/{org}/detectors/— bulk delete monitors
If the Sentry auth token embedded in Claude Code has management scopes (which error reporting SDKs sometimes include), a compromised agent could delete projects, wipe issue history, or remove monitoring.
statsig.anthropic.com (Statsig telemetry)
Lowest risk — feature flag / analytics telemetry. The wildcard is unnecessary (only POST is needed for telemetry ingest) but the blast radius is limited.
Additional issue: missing L7 enforcement on two entries
statsig.anthropic.com and sentry.io have rules but lack protocol: rest and enforcement: enforce:
# Current — rules exist but L7 inspection is not activated
- host: statsig.anthropic.com
port: 443
rules:
- allow: { method: "*", path: "/**" }
- host: sentry.io
port: 443
rules:
- allow: { method: "*", path: "/**" }Without protocol: rest, the rules are not evaluated at the HTTP level — the same issue as #1111. These entries should have protocol: rest and enforcement: enforce for the method/path rules to be enforced.
Suggested fix
Restrict each endpoint to the minimum HTTP methods and paths required:
claude_code:
name: claude_code
endpoints:
- host: api.anthropic.com
port: 443
protocol: rest
enforcement: enforce
rules:
- allow: { method: POST, path: "/v1/messages" }
- allow: { method: POST, path: "/v1/messages/batches" }
- host: statsig.anthropic.com
port: 443
protocol: rest
enforcement: enforce
rules:
- allow: { method: POST, path: "/**" }
- host: sentry.io
port: 443
protocol: rest
enforcement: enforce
rules:
- allow: { method: POST, path: "/api/*/envelope/**" }
- allow: { method: POST, path: "/api/*/store/**" }
binaries:
- { path: /usr/local/bin/claude }
nvidia:
name: nvidia
endpoints:
- host: integrate.api.nvidia.com
port: 443
protocol: rest
enforcement: enforce
rules:
- allow: { method: POST, path: "/v1/chat/completions" }
- allow: { method: POST, path: "/v1/completions" }
- allow: { method: POST, path: "/v1/embeddings" }
- allow: { method: GET, path: "/v1/models" }
- allow: { method: GET, path: "/v1/models/**" }
- host: inference-api.nvidia.com
port: 443
protocol: rest
enforcement: enforce
rules:
- allow: { method: POST, path: "/v1/chat/completions" }
- allow: { method: POST, path: "/v1/completions" }
- allow: { method: GET, path: "/v1/models" }
binaries:
- { path: /usr/local/bin/claude }
- { path: /usr/local/bin/openclaw }The exact paths may need tuning based on which API versions OpenClaw uses, but the principle is: POST to inference paths, GET to model listing, nothing else. No DELETE, no Cloud Functions management, no file/skill deletion.
Context
The policy file's own header states: "Principle: deny by default, allow only what's needed for core functionality." The wildcard method rules are the opposite of that principle — they allow everything and rely on the API key's scopes for access control, which is the provider's concern, not a security boundary the operator controls.