🖥️ Canvas-OS

Security checks across malware telemetry and agentic risk

Overview

Canvas-OS is a coherent Canvas app helper, but it needs review because its scripts can forcibly stop unrelated local services and expose active local app content with limited guardrails.

Review before installing if you run other local services or may put private data in Canvas app folders. Use trusted app content only, avoid untrusted HTML injection, bind servers to 127.0.0.1 where possible, and do not let the helper kill a port unless you know what process is listening there.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Behavioral ASTexec() Call, eval() Call, Dynamic Import
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (12)

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: This helper explicitly constructs a Canvas 'eval' action that executes arbitrary JavaScript derived from caller-supplied HTML via document.write(). That creates a broad script-execution primitive, which is substantially more dangerous than simple visual app rendering because any consumer of this helper can inject active content and run code in the target Canvas node.

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: The script unconditionally kills whatever process is bound to the user-supplied port using `kill -9`, without verifying ownership, purpose, or that the process belongs to this app. This can terminate unrelated services and cause denial of service or data loss, especially because `SIGKILL` prevents graceful shutdown and cleanup.

Vague Triggers

Medium

Confidence: 88% confidence
Finding: The README suggests very broad natural-language trigger phrases such as opening dashboards or building trackers without defining confirmation, scope, or safety boundaries. In an agent setting, vague activation phrases can cause unintended execution of this skill in response to loosely related user input, increasing the chance of surprising actions or invocation chaining.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The README explicitly describes a flow involving localhost serving, JavaScript eval-based data injection, and app-to-agent command callbacks via deep links, but provides no warnings or guardrails. That combination creates a meaningful attack surface: eval can turn untrusted data into code execution in the app context, and callback links can enable unauthorized or confusing agent actions if inputs are not tightly validated and mediated.

Vague Triggers

Medium

Confidence: 82% confidence
Finding: The trigger phrases are very broad natural-language commands like "Open [app]" and "Close canvas," which can plausibly occur in ordinary conversation. In an agent environment, overly generic invocation patterns increase the chance of accidental activation, causing unintended server starts, navigation actions, or UI modification.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The skill provides direct HTML/JS injection instructions using document.write() and canvas.eval() without a strong warning that this executes arbitrary active content in the Canvas context. Because the skill is specifically about rendering rich HTML/CSS/JS UIs and injecting live code, its context makes this more dangerous: users may be encouraged to load or generate untrusted content that can run script, exfiltrate displayed data, or trigger privileged deep-link actions.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The documented command lsof -ti:$PORT | xargs kill -9 will forcibly terminate any process listening on the chosen port, with no safeguard that it belongs to this skill. If the port is occupied by an unrelated local service, this can cause denial of service or data loss, especially because the skill suggests fixed default ports that may collide with other applications.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The function is designed to inject arbitrary HTML into about:blank and execute it without any warning, consent gate, or indication that active JavaScript may run in the target node. In this skill context, marketed as a Canvas app platform helper, the lack of warning makes misuse more likely and increases the chance that untrusted content is treated as harmless presentation data.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The script reads a PID from a predictable file in /tmp and then unconditionally sends SIGKILL to that PID before deleting the file. If the PID file is stale, tampered with, or reused by another process, the script can terminate an unintended process, making this a real process-safety vulnerability rather than just an operational concern.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: Force-killing any process on the selected port without warning or confirmation is a destructive side effect that a caller may not expect. In this skill context, ports are user-controlled, so a mistaken or maliciously chosen port could disrupt local development tools or other applications running on the host.

Missing User Warnings

Low

Confidence: 72% confidence
Finding: Writing a PID file into `/tmp` creates an undisclosed filesystem side effect and uses a predictable filename derived from app name. While lower severity than the port-kill behavior, predictable files in shared temporary directories can be tampered with or collide with other users/processes, leading to incorrect cleanup behavior or symlink-related issues depending on later consumers.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The page sends tracker-derived content to an external agent handler via the custom openclaw://agent URI when the user clicks an item or the add button, but the UI provides no disclosure, consent prompt, or clear indication that item titles and state changes are being shared externally. Because item titles/meta may contain sensitive habit, health, or personal productivity data, this creates an unintended data-sharing/privacy risk in a tracker context.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal