Summary
What went wrong?
https://mintcdn.com/clawhub/4rYvG-uuZrMK_URE/assets/pixel-lobster.svg <-- This is hardcoded in the app. It's well known that .svg files can contain malicious code in them. This file absolutely should not be hardcoded as a web asset to some unknown CDN that could be comprimised.
Steps to reproduce
- Install and build from source
- Fire up the Gateway
- Observe the link to the image being a remote SVG file.
Expected behavior
What did you expect to happen?
It should load a local version of the SVG file. Where it can be replaced with a TRUSTED image file.
Actual behavior
What actually happened?
It loaded an untrusted remote resource.
Environment
- Clawdbot version: main
- OS: Linux
- Install method (pnpm/npx/docker/etc):
pnpm
Logs or screenshots
Paste relevant logs or add screenshots (redact secrets).
Summary
What went wrong?
https://mintcdn.com/clawhub/4rYvG-uuZrMK_URE/assets/pixel-lobster.svg <-- This is hardcoded in the app. It's well known that .svg files can contain malicious code in them. This file absolutely should not be hardcoded as a web asset to some unknown CDN that could be comprimised.
Steps to reproduce
Expected behavior
What did you expect to happen?
It should load a local version of the SVG file. Where it can be replaced with a TRUSTED image file.
Actual behavior
What actually happened?
It loaded an untrusted remote resource.
Environment
pnpm
Logs or screenshots
Paste relevant logs or add screenshots (redact secrets).