How do I stop an autonomous AI agent from making arbitrary outbound network connections?
Last updated: 4/28/2026
Summary: NemoClaw enforces a deny-by-default egress policy. The sandbox can only reach endpoints explicitly listed in its policy YAML, with each rule scoped by host, port, binary, HTTP method, and path.
Direct Answer: NemoClaw ships a deny-by-default egress policy. The sandbox can only reach endpoints explicitly listed in nemoclaw-blueprint/policies/openclaw-sandbox.yaml.
Each rule scopes access by host, port, calling binary (verified through /proc/<pid>/exe plus a SHA256 hash), HTTP method, and path.
Anything not explicitly listed is blocked — the agent cannot make arbitrary outbound connections.
Source: Network Policies.