AI Assessment
VERDICT
Based on automated scanner findings, this codebase is not production-ready. Multiple high-severity dependency vulnerabilities, extreme cyclomatic complexity, and Docker security misconfigurations present material risks.
TOP RISKS
→ The scanner flagged CVE-2026-33036 (fast-xml-parser@5.3.6), CVE-2026-2359, CVE-2026-3304, and CVE-2026-3520 (multer@2.0.2) in pnpm-lock.yaml. These are known vulnerabilities in active dependencies.
→ readSkillMarkdown function was detected with cyclomatic complexity of 588 across multiple files (server/src/routes/access.ts:98, ui/src/components/AgentConfigForm.tsx:407, ui/src/components/IssueDocumentsSection.tsx:619), indicating extremely difficult-to-maintain code.
→ The scanner detected a 559-line duplicated code block spanning skills/paperclip/references/api-reference.md and ui/src/components/AsciiArtAnimation.tsx, representing maintenance and consistency risk.
→ Docker images were flagged for running as root user (docker/openclaw-smoke/Dockerfile) and missing HEALTHCHECK directives (Dockerfile, Dockerfile.onboard-smoke, docker/openclaw-smoke/Dockerfile).
WHAT TO FIX FIRST
Update multer from 2.0.2 to a patched version in pnpm-lock.yaml. This single dependency is flagged for three CVEs and appears to be the highest-impact remediation.
Note: Verify the CVE dates (showing 2026) as these may be scanner configuration errors. Always cross-reference critical findings against your actual code before deployment.
Category Breakdown
Findings(39 in 13 groups)
Function "readSkillMarkdown ( skillName : string ) ( ) ( markdown : string )" has a cyclomatic complexity of 588 (2420 lines, 1 parameters). This function is extremely complex and should be refactored into smaller functions.
Affected files
Duplicate found between skills/paperclip/references/api-reference.md:3 and .claude/skills/paperclip/references/api-reference.md:3. Consider extracting shared logic into a reusable function or module.
Affected files
fast-xml-parser affected by numeric entity expansion bypassing all entity expansion limits (incomplete fix for CVE-2026-26278) | Fix available: 5.5.6 | Package: fast-xml-parser (pnpm) | https://avd.aquasec.com/nvd/cve-2026-33036
Affected files
multer: Multer: Denial of Service via dropped file upload connections | Fix available: 2.1.0 | Package: multer (pnpm) | https://avd.aquasec.com/nvd/cve-2026-2359
Affected files
multer: Multer: Denial of Service via malformed requests | Fix available: 2.1.0 | Package: multer (pnpm) | https://avd.aquasec.com/nvd/cve-2026-3304
Affected files
multer: Multer: Denial of Service via malformed requests | Fix available: 2.1.1 | Package: multer (pnpm) | https://avd.aquasec.com/nvd/cve-2026-3520
Affected files
rollup: Rollup: Remote Code Execution via Path Traversal Vulnerability | Fix available: 2.80.0, 3.30.0, 4.59.0 | Package: rollup (pnpm) | https://avd.aquasec.com/nvd/cve-2026-27606
Affected files
Running containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile. | Fix: Add 'USER <non root user name>' line to the Dockerfile | Target: docker/openclaw-smoke/Dockerfile
Affected files
esbuild enables any website to send any requests to the development server and read the response | Fix available: 0.25.0 | Package: esbuild (pnpm) | https://github.com/advisories/GHSA-67mh-4wv8-2f99
Affected files
You should add HEALTHCHECK instruction in your docker container images to perform the health check on running containers. | Fix: Add HEALTHCHECK instruction in Dockerfile | Target: Dockerfile
Affected files
Share your ShipScanner
Show the world your code quality. Your report has a beautiful preview image built in.
Embed Trust Badge
Show your code quality score in your README. The badge updates automatically every time you re-scan.
[](https://shipscanner.dev/report/cmmvtrefe0001l504a7fenwdo)