openclaw-egress

# OpenClaw Egress

Network DLP for agent workspaces. Scans skills and files for outbound URLs, data exfiltration endpoints, and network function calls.

## The Problem

Skills can phone home. A compromised skill can POST your workspace contents, API keys, or conversation history to an external server. Nothing monitors what URLs your skills connect to or what data they could send.


## Commands

### Full Scan

Scan workspace for all outbound network risks.

```bash
python3 {baseDir}/scripts/egress.py scan --workspace /path/to/workspace
```

### Skills-Only Scan

```bash
python3 {baseDir}/scripts/egress.py scan --skills-only --workspace /path/to/workspace
```

### Domain Map

List all external domains referenced in workspace.

```bash
python3 {baseDir}/scripts/egress.py domains --workspace /path/to/workspace
```

### Quick Status

```bash
python3 {baseDir}/scripts/egress.py status --workspace /path/to/workspace
```

## What It Detects

| Risk | Pattern |
|------|---------|
| **CRITICAL** | Base64/hex payloads in URLs, pastebin/sharing services, request catchers, dynamic DNS |
| **HIGH** | Network function calls (requests, urllib, curl, wget, fetch), webhook/callback URLs |
| **WARNING** | Suspicious TLDs (.xyz, .tk, .ml), URL shorteners, IP address endpoints |
| **INFO** | Any external URL not on the safe domain list |

## Exit Codes

- `0` — Clean
- `1` — Network calls detected (review needed)
- `2` — Exfiltration risk detected (action needed)

## No External Dependencies

Python standard library only. No pip install. No network calls. Everything runs locally.

## Cross-Platform

Works with OpenClaw, Claude Code, Cursor, and any tool using the Agent Skills specification.

# OpenClaw Egress

Network data loss prevention for [OpenClaw](https://github.com/openclaw/openclaw), [Claude Code](https://docs.anthropic.com/en/docs/claude-code), and any Agent Skills-compatible tool.

Maps every external connection your skills could make. Flags exfiltration endpoints, suspicious domains, and network function calls.


## Install

```bash
git clone https://github.com/AtlasPA/openclaw-egress.git
cp -r openclaw-egress ~/.openclaw/workspace/skills/
```

## Usage

```bash
# Full network scan
python3 scripts/egress.py scan

# Skills-only scan
python3 scripts/egress.py scan --skills-only

# List all external domains
python3 scripts/egress.py domains

# Quick status
python3 scripts/egress.py status
```

## What It Detects

- **Data exfiltration** — Base64/hex payloads in URL parameters
- **Sharing services** — Pastebin, transfer.sh, 0x0.st, file.io
- **Request catchers** — ngrok, requestbin, pipedream, beeceptor
- **Dynamic DNS** — duckdns, no-ip, dynu, freedns
- **URL shorteners** — bit.ly, tinyurl, t.co, goo.gl
- **IP endpoints** — Direct IP address connections
- **Suspicious TLDs** — .xyz, .tk, .ml, .ga, .cf, .top
- **Network code** — urllib, requests, httpx, aiohttp, curl, wget, fetch
- **Webhook callbacks** — /webhook, /callback, /hook, /beacon endpoints


|---------|------|-----|
| URL detection & classification | Yes | Yes |
| Network code analysis | Yes | Yes |
| Domain mapping | Yes | Yes |
| **Block exfil payloads** | - | Yes |
| **Quarantine calling skill** | - | Yes |
| **URL allowlist enforcement** | - | Yes |
| **Real-time egress monitoring** | - | Yes |

## Requirements

- Python 3.8+
- No external dependencies (stdlib only)
- Cross-platform: Windows, macOS, Linux

## License

MIT