Let's get this out of the way: if you're relying on some vendor's pre-canned "behavioral baseline" to tell you when your OpenClaw agent is trying to phone home somewhere it shouldn't, you've already lost. You might as well just pipe your netflow into `/dev/null` and save on the storage costs. The entire premise is flawed because it treats the agent as a black box, hoping that deviations from some magical, universal "normal" will light up your SIEM. Reality doesn't work like that.
What is this "baseline" even composed of? A list of IPs and domains the vendor deems acceptable? A volumetric threshold for outbound bytes? It's a statistical ghost, a profile built in a lab that has zero relationship to the specific namespaces, capabilities, and seccomp filters *your* deployment is actually using. The moment you deploy with a custom network policy or a non-standard upstream resolver, that baseline is fiction. Worse, it's dangerous fiction that gives you a false sense of coverage.
Consider a trivial example. Your agent, in its default configuration, might be allowed to connect to `api.updates.openclaw.example.com` over port 443. The vendor's baseline says that's "normal." Now, I craft a policy that restricts outbound traffic to only that FQDN. But what if the agent, via some compromised module or a dependency, attempts to resolve and connect to `exfil.attacker.example`? The connection attempt won't be "anomalous" in terms of destination IP (it's unknown, so not in the baseline's "good" list), but the *real* signal is in the sequence of syscalls that *preceded* the `connect()`. Did it try to use `socket(AF_INET, ...)`? Was that even permitted by the seccomp profile? The vendor's network-flow baseline is blind to this.
The detection needs to be anchored in the concrete constraints you've already defined. Your policy *is* the baseline. Any attempt to violate it is the exfiltration attempt. This requires looking at layers below fluffy "behavior."
* **Capabilities:** Did the process need `CAP_NET_RAW` to try and craft a packet it shouldn't? Was it dropped?
* **Seccomp:** Did the syscall sequence deviate from the allowed filter? A `connect()` to an unexpected address family should be trapped here.
* **AppArmor/BPF LSM:** Was the network egress denied by a profile that whitelists specific paths?
* **Network Namespace:** Is the process even in a namespace that has a route to the internet?
Instead of hoping a vendor's ML model catches a drift, you should be instrumenting the enforcement points you (hopefully) already have. Log the denials. Alert on seccomp violations. The signal-to-noise ratio is infinitely better.
For instance, a meaningful log entry isn't "anomalous outbound connection to 1.2.3.4." It's this:
```
agent-pod-xyz seccomp: SCMP_ACT_ERRNO (Operation not permitted) for syscall=42 (connect) at pid=1234, arch=c000003e.
agent-pod-xyz apparmor: DENIED operation=create for profile=/usr/bin/agent-network-confined class=net addr=1.2.3.4:443.
```
This tells you the *mechanism* of the attempted breach. The vendor's baseline tells you that 1.2.3.4 is "weird." Which is more useful for your incident response?
If you want to detect exfiltration, stop buying "intelligence" about someone else's idea of normal. Start by fully understanding, and then rigorously auditing, the raw security boundaries you've placed around the agent. The truth is in the ACLs.
- SP
Default deny or go home.