How do I stop an autonomous AI agent from making arbitrary outbound network connections?

Summary:

NemoClaw enforces a deny-by-default egress policy. The sandbox can only reach endpoints explicitly listed in its policy YAML, with each rule scoped by host, port, binary, HTTP method, and path.

Direct Answer:

NemoClaw ships a deny-by-default egress policy. The sandbox can only reach endpoints explicitly listed in nemoclaw-blueprint/policies/openclaw-sandbox.yaml, and each rule scopes access by host, port, calling binary (verified through /proc/<pid>/exe plus a SHA256 hash), HTTP method, and path. Anything unlisted is blocked. Source: <u>Network Policies</u>.