Openclaw Egress
Network data loss prevention for agent workspaces. Scans skills and files for outbound URLs, data exfiltration endpoints, suspicious domains, and network function calls. Maps every external connection. Free alert layer — upgrade to openclaw-egress-pro for blocking, quarantine, and URL allowlists.
MIT-0 · Free to use, modify, and redistribute. No attribution required.
⭐ 0 · 1.3k · 2 current installs · 2 all-time installs
by@AtlasPA
MIT-0
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name/description match the code's scanning capabilities (URL detection, network-call heuristics). Requiring only python3 is proportionate. However, the package also contains constants and helper functions for quarantine and allowlist persistence (QUARANTINE_PREFIX, BLOCK_COMMENT, save_allowlist) which go beyond a read-only scanner and are not clearly declared in SKILL.md's 'free alert' description.
Instruction Scope
SKILL.md documents only scanning, domain listing, and status commands and promises 'everything runs locally' with no external I/O. The script's header and constants indicate functionality to quarantine skills and enforce allowlists (which implies modifying files/directories). The instructions do not warn that running the script could rename directories, write .egress-allowlist.json, insert block comments, or otherwise modify workspace/skills.
Install Mechanism
No install spec; the skill is shipped as a script and README. That's low-risk from supply-chain/remote-download perspective. It does include an actual script file (not instruction-only), so there is executable code to review.
Credentials
The skill requests no credentials and only python3, which is appropriate for scanning. However the script reads and writes inside the user's workspace (loads/saves an allowlist file and likely can quarantine/modify other skill directories). That level of filesystem write access should be explicitly declared and justified; it is not surfaced clearly in the SKILL.md usage examples.
Persistence & Privilege
The skill is not always-enabled and not force-installed, which is good. However the code appears able to modify other skills (quarantine via directory rename/prefix and potentially inject block comments) and to persist an allowlist in the workspace. Modifying other skills' files or directories without an explicit, visible opt-in is a privileged action and a notable risk.
Scan Findings in Context
[network_call_detection_patterns] expected: The script includes regexes and heuristics to detect network libraries, curl/wget, and outbound URLs — this is expected for a DLP/egress scanner.
[allowlist_persistence_write] unexpected: The script defines ALLOWLIST_FILE and implements save_allowlist/load_allowlist to write .egress-allowlist.json into the workspace. The SKILL.md promised 'free alert' with pro features for allowlists; persistent writes should be explicitly documented and opt-in.
[quarantine_modification_capability] unexpected: Constants like QUARANTINE_PREFIX and BLOCK_COMMENT plus header text mentioning 'quarantine' and 'block' indicate the script is capable of modifying or renaming other skill directories and adding block comments — behavior not clearly declared in runtime instructions.
What to consider before installing
This skill largely does what it says — scanning for outbound URLs and network calls — but the bundled script contains code paths for saving an allowlist and for quarantining/modifying skills (renaming directories, inserting block comments). The SKILL.md and README emphasize 'alert-only' for the free version yet the code includes modification capabilities; source/homepage are not provided. Before installing or running: (1) review the full scripts (search for rename/move, os.remove, shutil.move, write/open calls that change other directories), (2) run scans on a copy or a non-production workspace first, (3) back up your workspace/skills, (4) prefer running with --skills-only and in read-only mode if available, and (5) avoid granting broad write access if you don’t trust the source. If you need absolute assurance, ask the publisher for a provenance URL or a signed release and/or run the script in an isolated container or VM.Like a lobster shell, security has layers — review code before you run it.
Current versionv1.0.2
Download ziplatest
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
🌐 Clawdis
OSmacOS · Linux · Windows
Binspython3
SKILL.md
OpenClaw Egress
Network DLP for agent workspaces. Scans skills and files for outbound URLs, data exfiltration endpoints, and network function calls.
The Problem
Skills can phone home. A compromised skill can POST your workspace contents, API keys, or conversation history to an external server. Nothing monitors what URLs your skills connect to or what data they could send.
Commands
Full Scan
Scan workspace for all outbound network risks.
python3 {baseDir}/scripts/egress.py scan --workspace /path/to/workspace
Skills-Only Scan
python3 {baseDir}/scripts/egress.py scan --skills-only --workspace /path/to/workspace
Domain Map
List all external domains referenced in workspace.
python3 {baseDir}/scripts/egress.py domains --workspace /path/to/workspace
Quick Status
python3 {baseDir}/scripts/egress.py status --workspace /path/to/workspace
What It Detects
| Risk | Pattern |
|---|---|
| CRITICAL | Base64/hex payloads in URLs, pastebin/sharing services, request catchers, dynamic DNS |
| HIGH | Network function calls (requests, urllib, curl, wget, fetch), webhook/callback URLs |
| WARNING | Suspicious TLDs (.xyz, .tk, .ml), URL shorteners, IP address endpoints |
| INFO | Any external URL not on the safe domain list |
Exit Codes
0— Clean1— Network calls detected (review needed)2— Exfiltration risk detected (action needed)
No External Dependencies
Python standard library only. No pip install. No network calls. Everything runs locally.
Cross-Platform
Works with OpenClaw, Claude Code, Cursor, and any tool using the Agent Skills specification.
Files
3 totalSelect a file
Select a file to preview.
Comments
Loading comments…