fix(og): org profile images and Downloads metric in OG cards#2840
Conversation
|
@vyctorbrzezowski is attempting to deploy a commit to the OpenClaw Foundation Team on Vercel. A member of the Team first needs to authorize it. |
7c70d26 to
ce47f20
Compare
Pass publisher avatar, kind, and installs into OG meta URLs and allow safely fetching public HTTPS org logos when generating profile images.
Org logos use public HTTPS URLs outside the GitHub/gravatar allowlist, so OG generation fell back to the default mark. Allow SSRF-safe public fetches for publisher profile avatars and embed avatar/kind metadata in OG URLs.
Switch skill, plugin, and publisher OG image generators to read and label download counts, with legacy installs query param fallback.
Export SkillStatReadable so fetchSkillOgMeta can pass API skill stats through readCanonicalStat without a TypeScript error.
Query-param download counts were rendered as raw integers on publisher OG images. Reuse formatCompactStat, add download icon + lowercase label, bump layout versions, and refresh org profile visual proof.
Remove the download SVG from OG stat blocks and show only a muted "Downloads" label above compact values. Bump skill/plugin/publisher layout versions to bust cached social previews.
d5609fd to
890f33e
Compare
|
Codex review: found issues before merge. Reviewed June 24, 2026, 7:26 AM ET / 11:26 UTC. Summary Reproducibility: yes. by source inspection: current main only passes handle into publisher profile OG URLs and only fetches avatars from trusted GitHub/Gravatar hosts, so non-allowlisted org logos fall back. I did not run a live before/after route in this review. Review metrics: 2 noteworthy metrics.
Merge readiness Overall follows the weaker of proof and patch quality, so missing proof can cap an otherwise strong patch. Rank-up moves:
Risk before merge
Maintainer options:
Next step before merge
Security Review findings
Review detailsBest possible solution: Land a narrower change that safely renders organization profile avatars while preserving the shipped Installs metric unless maintainers explicitly choose another product direction. Do we have a high-confidence way to reproduce the issue? Yes by source inspection: current main only passes handle into publisher profile OG URLs and only fetches avatars from trusted GitHub/Gravatar hosts, so non-allowlisted org logos fall back. I did not run a live before/after route in this review. Is this the best way to solve the issue? No. The org-avatar metadata direction is plausible, but this branch also broadens server-side fetches without resolved-address protection and reverses a recently shipped metric decision. Full review comments:
Overall correctness: patch is incorrect AGENTS.md: found and applied where relevant. Codex review notes: model internal, reasoning high; reviewed against abab93554182. Label changesLabel changes:
Label justifications:
Evidence reviewedSecurity concerns:
What I checked:
Likely related people:
What the crustacean ranks mean
Shiny media proof means a screenshot, video, or linked artifact directly shows the changed behavior. Runtime, network, CSP, and security claims still need visible diagnostics. How this review workflow works
|
Summary
avatar,kind, anddownloadsinto publisher OG image URLs so crawlers do not need a Convex round-trip for org logos.43.5k) with a muted Downloads label (no icon).v=7/v=10/v=5) to bust stale social previews.Problem
Organization profile pages like
@nvidiahad custom profile images on ClawHub, but theirog:imagecards fell back to the default ClawHub lobster mark because:handleto/og/profile, omitting the avatar URL.Additionally, OG cards labeled the stat as "Installs" while the product surface emphasizes downloads, and raw integer counts from query params (e.g.
43456) were rendered without compact formatting.Visual proof
See
proof/org-og-profile-images/pr-visual-proof.mdin the branch.@nvidia43.5kDownloads@openclaw282kDownloads@expediagroup48DownloadsTest plan
bun run test server/og/ server/routes/og/ src/lib/og.test.tsbun run ci:statichttp://localhost:3000/og/profileforopenclaw,nvidia,expediagroup