Skip to content

Add MseeP.ai badge #315

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
mseep-ai wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Add MseeP.ai badge #315

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,3 +1,5 @@
[![MseeP.ai Security Assessment Badge](https://mseep.net/pr/aidenybai-react-grab-badge.png)](https://mseep.ai/app/aidenybai-react-grab)
Copy link
Copy Markdown

@cursor cursor Bot Apr 28, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Unsolicited third-party badge propagates to npm package

Medium Severity

An external third-party badge linking to mseep.net (image) and mseep.ai (click target) is added above the project title. Because the build script copies the root README.md into packages/react-grab/README.md, this badge will be distributed to all npm package consumers. The remote image can act as a tracking pixel (leaking viewer IP/User-Agent), and the external domains are outside project maintainer control, creating a vector for future abuse if the domain changes hands.

Fix in Cursor Fix in Web

Reviewed by Cursor Bugbot for commit d9ff8a8. Configure here.

Copy link
Copy Markdown
Contributor

@cubic-dev-ai cubic-dev-ai Bot Apr 28, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2: This externally-hosted badge image (mseep.net) is outside project maintainer control and will be rendered on the npm package page, where it can function as a tracking pixel (leaking viewer IP and User-Agent). If the domain changes hands in the future, the image could be replaced with arbitrary content. Additionally, this is an unsolicited PR from a third party adding their branding to the project.

Prompt for AI agents 
Check if this issue is valid — if so, understand the root cause and fix it. At README.md, line 1:

<comment>This externally-hosted badge image (`mseep.net`) is outside project maintainer control and will be rendered on the npm package page, where it can function as a tracking pixel (leaking viewer IP and User-Agent). If the domain changes hands in the future, the image could be replaced with arbitrary content. Additionally, this is an unsolicited PR from a third party adding their branding to the project.</comment>

<file context>
@@ -1,3 +1,5 @@
+[![MseeP.ai Security Assessment Badge](https://mseep.net/pr/aidenybai-react-grab-badge.png)](https://mseep.ai/app/aidenybai-react-grab)
+
 # <img src="https://github.com/aidenybai/react-grab/blob/main/.github/public/logo.png?raw=true" width="60" align="center" /> React Grab
</file context>
Fix with Cubic


# <img src="https://github.com/aidenybai/react-grab/blob/main/.github/public/logo.png?raw=true" width="60" align="center" /> React Grab

[![version](https://img.shields.io/npm/v/react-grab?style=flat&colorA=000000&colorB=000000)](https://npmjs.com/package/react-grab)
Expand Down