Problem

When running OpenClaw behind Clash Verge with TUN mode enabled (fake-ip strategy), cdn.discordapp.com resolves to 198.18.x.x (Clash's fake-ip range). OpenClaw's SSRF protection treats this as a private/internal IP and blocks the fetch.

This means all Discord image and file attachments are blocked — the agent cannot see any images sent in DMs or channels.

Error message:

blocked URL fetch (url-fetch) target=https://cdn.discordapp.com/... reason=Blocked: resolves to private/internal/special-use IP address

DNS resolution (via Clash TUN):

cdn.discordapp.com → 198.18.0.40

Environment

• OpenClaw v2026.2.26
• macOS 26.3 (arm64)
• Clash Verge with TUN mode (fake-ip), cannot be disabled

Request

Could you add a config option to whitelist specific domains from SSRF checks? Something like:

{
  "tools": {
    "web": {
      "fetch": {
        "ssrfAllowDomains": ["cdn.discordapp.com", "media.discordapp.net"]
      }
    }
  }
}

Or alternatively, a way to bypass SSRF checks for Discord attachment URLs specifically (since they come from a trusted source — the Discord API itself).

Modifying the proxy/VPN configuration is not an option in this case.