Back to skill
Skillv1.0.0
VirusTotal security
Claw Canvas · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 30, 2026, 4:37 AM
- Hash
- e0a8be10061dbb2b13db4254a4c4db1f87d1bb2b8a0ddfd8135ebe2d92ab37e6
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: claw-canvas Version: 1.0.0 The `scripts/canvas_cli.py` skill takes arbitrary string input via the `--content` argument and passes it directly to the `default_api.canvas` tool for rendering. As the `SKILL.md` indicates the canvas can 'Render Markdown/HTML', this direct passing of unsanitized user-controlled content creates a potential vulnerability (e.g., Cross-Site Scripting if HTML is rendered, or other forms of injection) if the underlying `canvas` tool does not robustly sanitize or sandbox the input. This lack of input sanitization is a risky capability, classifying the skill as suspicious rather than benign, but not malicious as there's no evidence of intentional harmful behavior by the skill itself.
- External report
- View on VirusTotal