Add MseeP.ai badge

[mseep-ai]

Hi there,

This pull request shares a security update on clawmaster.

We also have an entry for clawmaster in our directory, MseeP.ai, where we provide regular security and trust updates on your app.

We invite you to add our badge for your MCP server to your README to help your users learn from a third party that provides ongoing validation of clawmaster.

You can easily take control over your listing for free: visit it at https://mseep.ai/app/openmaster-ai-clawmaster.

Thanks,

The MseeP Team
MCP servers you can trust

---

Here are our latest evaluation results of clawmaster

Security Scan Results

Security Score: 89/100

Risk Level: moderate

Scan Date: 2026-05-07

Score starts at 100, deducts points for security issues, and adds points for security best practices

Detected Vulnerabilities

Medium Severity

• langsmith

  • [{'source': 1117058, 'name': 'langsmith', 'dependency': 'langsmith', 'title': 'LangSmith SDK: Streaming token events bypass output redaction', 'url': 'https://github.com/advisories/GHSA-rr7j-v2q5-chgv', 'severity': 'moderate', 'cwe': ['CWE-200', 'CWE-359', 'CWE-532'], 'cvss': {'score': 5.3, 'vectorString': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}, 'range': '<=0.5.18'}]
  • Fixed in version: unknown

• postcss

  • [{'source': 1117015, 'name': 'postcss', 'dependency': 'postcss', 'title': 'PostCSS has XSS via Unescaped </style> in its CSS Stringify Output', 'url': 'https://github.com/advisories/GHSA-qx2v-qp2m-jg93', 'severity': 'moderate', 'cwe': ['CWE-79'], 'cvss': {'score': 6.1, 'vectorString': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}, 'range': '<8.5.10'}]
  • Fixed in version: unknown

• uuid

  • [{'source': 1117637, 'name': 'uuid', 'dependency': 'uuid', 'title': 'uuid: Missing buffer bounds check in v3/v5/v6 when buf is provided', 'url': 'https://github.com/advisories/GHSA-w5hq-g745-h8pq', 'severity': 'moderate', 'cwe': ['CWE-787', 'CWE-1285'], 'cvss': {'score': 0, 'vectorString': None}, 'range': '>=11.0.0 <11.1.1'}]
  • Fixed in version: unknown

Security Findings

Medium Severity Issues

• semgrep: Use of child_process.exec() with dynamic input detected. This can lead to command injection.

  • Location: packages/backend/src/execOpenclaw.ts
  • Line: 541

• semgrep: Insecure WebSocket Detected. WebSocket Secure (wss) should be used for all WebSocket connections.

  • Location: packages/web/src/modules/gateway/tests/GatewayPage.test.tsx
  • Line: 211

• ... and 1 more medium severity issues

This security assessment was conducted by MseeP.ai, an independent security validation service for MCP servers. Visit our website to learn more about our security reviews.

[webup]

Thanks for surfacing the scan results. I’m handling the actual remediation in #149 and a separate code branch so the security work is tracked independently from this README badge PR. One note from triage: the reported finding points at a test assertion, while the production client already upgrades to on origins. I’ll link the remediation details from the follow-up PR once verification is complete.

[webup]

Thanks for surfacing the scan results. I’m handling the actual remediation in #149 and a separate code branch so the security work is tracked independently from this README badge PR.

One note from triage: the reported ws:// finding points at a test assertion, while the production client already upgrades to wss: on https: origins. I’ll link the remediation details from the follow-up PR once verification is complete.