Summary
All 9 policy presets and the default policy entries for telegram and discord in openclaw-sandbox.yaml are missing binaries sections, causing OpenShell's proxy to return 403 Forbidden for every request — even when the endpoints match.
This is the same root cause as #19 (which only identified pypi and npm), but the bug affects all presets: discord, docker, huggingface, jira, npm, outlook, pypi, slack, and telegram.
Root cause
OpenShell's OPA rego policy (sandbox-policy.rego) requires both endpoint_allowed AND binary_allowed to match for a network request to be permitted:
network_policy_for_request if {
some name
data.network_policies[name]
endpoint_allowed(data.network_policies[name], input.network)
binary_allowed(data.network_policies[name], input.exec)
}When binaries is empty or absent, the binary_allowed rule iterates over zero candidates and always returns false — so the proxy denies every request regardless of endpoint matching.
Reproduction
nemoclaw onboard --non-interactive
# Apply any preset, e.g. pypi:
nemoclaw my-assistant policy-add # select pypi
# Connect and test:
nemoclaw my-assistant connect
pip install requests
# -> 403 Forbidden
Verbose curl from inside sandbox confirms endpoint matches but proxy blocks:
CONNECT pypi.org:443 HTTP/1.1
< HTTP/1.1 403 Forbidden
Affected policies
| Policy |
Location |
Status |
| pypi |
preset |
Missing binaries |
| npm |
preset |
Missing binaries |
| discord |
preset + default |
Missing binaries |
| telegram |
preset + default |
Missing binaries |
| slack |
preset |
Missing binaries |
| jira |
preset |
Missing binaries |
| outlook |
preset |
Missing binaries |
| docker |
preset |
Missing binaries |
| huggingface |
preset |
Missing binaries |
Expected behavior
Applying a preset should allow the declared traffic. Each preset needs a binaries section listing the executables that legitimately access those endpoints (e.g., python3*/pip* for pypi, node*/npm* for npm, openclaw/node*/python3*/curl for API presets).
Related
Summary
All 9 policy presets and the default policy entries for
telegramanddiscordinopenclaw-sandbox.yamlare missingbinariessections, causing OpenShell's proxy to return 403 Forbidden for every request — even when the endpoints match.This is the same root cause as #19 (which only identified
pypiandnpm), but the bug affects all presets: discord, docker, huggingface, jira, npm, outlook, pypi, slack, and telegram.Root cause
OpenShell's OPA rego policy (
sandbox-policy.rego) requires bothendpoint_allowedANDbinary_allowedto match for a network request to be permitted:When
binariesis empty or absent, thebinary_allowedrule iterates over zero candidates and always returns false — so the proxy denies every request regardless of endpoint matching.Reproduction
Verbose curl from inside sandbox confirms endpoint matches but proxy blocks:
Affected policies
binariesbinariesbinariesbinariesbinariesbinariesbinariesbinariesbinariesExpected behavior
Applying a preset should allow the declared traffic. Each preset needs a
binariessection listing the executables that legitimately access those endpoints (e.g.,python3*/pip*for pypi,node*/npm*for npm,openclaw/node*/python3*/curlfor API presets).Related
pypiandnpmpolicy presets so package managers work inside the sandbox #19 — original report for pypi/npm