Summary

What went wrong?
https://mintcdn.com/clawhub/4rYvG-uuZrMK_URE/assets/pixel-lobster.svg <-- This is hardcoded in the app. It's well known that .svg files can contain malicious code in them. This file absolutely should not be hardcoded as a web asset to some unknown CDN that could be comprimised.

Steps to reproduce

1. Install and build from source
2. Fire up the Gateway
3. Observe the link to the image being a remote SVG file.

Expected behavior

What did you expect to happen?
It should load a local version of the SVG file. Where it can be replaced with a TRUSTED image file.

Actual behavior

What actually happened?
It loaded an untrusted remote resource.

Environment

• Clawdbot version: main
• OS: Linux
• Install method (pnpm/npx/docker/etc):
  pnpm

Logs or screenshots

Paste relevant logs or add screenshots (redact secrets).