fix: remove Telegram Bot API from default sandbox network policy

[thebenignhacker]

Summary

api.telegram.org is pre-allowed in the default sandbox network policy
with unrestricted GET and POST /bot*/** access. This provides any
sandboxed agent with an out-of-box data exfiltration channel via the
Telegram Bot API (POST /bot<token>/sendDocument) without user approval
or notification.

Change

Remove api.telegram.org from the base policy. Telegram integration
should be an explicit user opt-in via the existing telegram preset:

nemoclaw <sandbox> policy-add  →  select "telegram"

The preset at nemoclaw-blueprint/policies/presets/telegram.yaml is
unchanged and available for users who need Telegram Bot API access.

Detection

This vulnerability class is detectable via HackMyAgent:

npx hackmyagent secure .

References

• PSIRT disclosure: tickets 6009892–6010011
• CWE-200: Exposure of Sensitive Information to an Unauthorized Actor

Summary by CodeRabbit

• Refactor

  • Moved Telegram access configuration to optional preset instead of including it in base policy

• Tests

  • Added tests to verify Telegram policy configuration and preset availability

[coderabbitai]

📝 Walkthrough

Walkthrough

The base sandbox policy is refactored to remove Telegram Bot API access, with Telegram now available as an optional preset that can be explicitly applied. Test coverage is added to validate that Telegram is excluded from the base policy and that the preset loads correctly.

Changes

Cohort / File(s)	Summary
Base Policy Configuration nemoclaw-blueprint/policies/openclaw-sandbox.yaml	Removed the network_policies.telegram block that previously allowed Telegram Bot API traffic to api.telegram.org:443. Updated comments to indicate Telegram access must be enabled separately via the telegram preset.
Policy Tests test/policies.test.js	Added "base policy security" test suite that verifies the base policy does not contain Telegram configuration and validates that the telegram preset can be loaded and references api.telegram.org.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Poem

🐰 A telegram once sat in the sandbox base,
Now plucked and placed in a preset space,
Optional and modular, the better way,
Test-blessed and ready to save the day! 📨✨

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately summarizes the primary change: removing Telegram Bot API access from the default sandbox network policy. It is concise, clear, and directly reflects the main security fix implemented in the changeset.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

🧹 Nitpick comments (2)

test/policies.test.js (1)

90-106: Test coverage for the security fix looks solid.

The tests correctly verify both that Telegram is excluded from the base policy and that the opt-in preset remains available. This provides good regression protection for the exfiltration fix.

One minor style issue: Line 92 uses require("fs") while the rest of the file uses ESM imports. Consider consistency:

♻️ Suggested refactor for import consistency

Add at the top of the file with other imports:

import fs from "node:fs";

Then update the test:

     it("base policy must not include telegram (exfiltration risk)", () => {
-      const fs = require("fs");
       const basePolicyPath = path.join(

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@test/policies.test.js` around lines 90 - 106, Replace the CommonJS require
call with the ESM fs import used elsewhere: add an import for node:fs at the top
of the test file with the other imports and then remove/replace the
require("fs") usage inside the "base policy must not include telegram
(exfiltration risk)" test (where basePolicyPath and content are computed) so the
test uses the imported fs symbol consistently across the file.

nemoclaw-blueprint/policies/openclaw-sandbox.yaml (1)

166-190: Consider: Discord may present similar exfiltration risk.

Discord remains in the base policy with POST access, which could potentially be used for data exfiltration via Discord webhooks (e.g., POST /api/webhooks/<id>/<token>). While this PR correctly addresses the Telegram issue per the PSIRT tickets, you may want to evaluate whether Discord should also be moved to an opt-in preset for consistency.

This is not a blocker for this PR—just flagging for future security review.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@nemoclaw-blueprint/policies/openclaw-sandbox.yaml` around lines 166 - 190,
Discord endpoints in the openclaw-sandbox policy currently allow POST (hosts:
discord, gateway.discord.gg, cdn.discordapp.com) which can enable exfiltration
via webhooks; update the policy by either removing or restricting POST rules for
these hosts (e.g., change POST to GET-only, move the three discord endpoint
blocks into an opt-in preset, or set enforcement to monitor for POSTs) and
ensure any change is applied to the 'discord' service definition and its
endpoint rule lists to maintain consistency with the Telegram fix.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@nemoclaw-blueprint/policies/openclaw-sandbox.yaml`:
- Around line 166-190: Discord endpoints in the openclaw-sandbox policy
currently allow POST (hosts: discord, gateway.discord.gg, cdn.discordapp.com)
which can enable exfiltration via webhooks; update the policy by either removing
or restricting POST rules for these hosts (e.g., change POST to GET-only, move
the three discord endpoint blocks into an opt-in preset, or set enforcement to
monitor for POSTs) and ensure any change is applied to the 'discord' service
definition and its endpoint rule lists to maintain consistency with the Telegram
fix.

In `@test/policies.test.js`:
- Around line 90-106: Replace the CommonJS require call with the ESM fs import
used elsewhere: add an import for node:fs at the top of the test file with the
other imports and then remove/replace the require("fs") usage inside the "base
policy must not include telegram (exfiltration risk)" test (where basePolicyPath
and content are computed) so the test uses the imported fs symbol consistently
across the file.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 5681e8c0-50a4-4170-aac5-c90dd687d261

📥 Commits

Reviewing files that changed from the base of the PR and between 166319d and 2b1fbd5.

📒 Files selected for processing (2)

• nemoclaw-blueprint/policies/openclaw-sandbox.yaml
• test/policies.test.js

[wscurran]

Thanks for submitting this PR, it removes a potential data exfiltration channel via the Telegram Bot API, which could improve the security of the NemoClaw project and prevent unauthorized access to user data.

[drobison00]

Automated PR. Closing.