Discord Preset Allows DELETE Method on All Paths — Overly Permissive Default - IssueFinder - SN 11

### Description

## Repository
- https://github.com/NVIDIA/NemoClaw
- Branch: main

## Related GitHub Issue Check
- Matching open issue: https://github.com/NVIDIA/NemoClaw/issues/1113 (related but about inference/telemetry wildcards)
#1113 covers inference and telemetry wildcard methods. This finding is specifically about the Discord preset including DELETE on all paths.

## Description
The Discord network policy preset (`presets/discord.yaml` lines 15-21) allows GET, POST, PUT, PATCH, and DELETE methods on `/**` paths for `discord.com`. The DELETE method allows the agent to delete channels, messages, guilds, roles, and other Discord resources. This is excessively permissive for most bot use cases.

## Impact
An agent prompted to "clean up" could delete Discord channels, messages, or roles.

## Affected Area
- File(s): nemoclaw-blueprint/policies/presets/discord.yaml (lines 15-21)

## Expected Behavior
DELETE should not be in the default preset. If needed, it should be an explicit opt-in with path restrictions.

## Actual Behavior
DELETE allowed on all Discord API paths by default.

### Reproduction Steps

## Steps to Reproduce
1. `nemoclaw policy-add --preset discord`
2. Inside sandbox: `curl -X DELETE -H 'Authorization: Bot <token>' https://discord.com/api/v10/channels/<id>`
3. Channel is deleted — no policy restriction

### Environment


- OS: Any
- NemoClaw Version: v0.1.0
- Branch: main
- Runtime: OpenShell sandbox
- Container / Orchestration Info: Docker sandbox with OpenShell proxy
- Network Setup: Requires outbound HTTPS to discord.com

### Debug Output

```shell
# Read the Discord preset/baseline policy:
grep -A 20 'discord:' nemoclaw-blueprint/policies/openclaw-sandbox.yaml
# Check for: DELETE method in allowed rules

# Test from inside sandbox:
openshell sandbox exec <sandbox-name> -- \
  curl -s -X DELETE -H "Authorization: Bot $DISCORD_BOT_TOKEN" \
  https://discord.com/api/v10/channels/CHANNEL_ID/messages/MSG_ID
# If DELETE passes through the proxy, the policy is too permissive
```

### Logs

```shell
# N/A — this is a policy configuration issue.
# The Discord policy allows methods beyond what NemoClaw needs.
```

### Checklist

- [x] I confirmed this bug is reproducible
- [x] I searched existing issues and this is not a duplicate

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Discord Preset Allows DELETE Method on All Paths — Overly Permissive Default - IssueFinder - SN 11 #1433

Description

Repository

Related GitHub Issue Check

Description

Impact

Affected Area

Expected Behavior

Actual Behavior

Reproduction Steps

Steps to Reproduce

Environment

Debug Output

Logs

Checklist

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Discord Preset Allows DELETE Method on All Paths — Overly Permissive Default - IssueFinder - SN 11 #1433

Description

Description

Repository

Related GitHub Issue Check

Description

Impact

Affected Area

Expected Behavior

Actual Behavior

Reproduction Steps

Steps to Reproduce

Environment

Debug Output

Logs

Checklist

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions