๐ฅ๏ธ Canvas-OS
ReviewAudited by ClawScan on May 10, 2026.
Overview
Canvas-OS mostly matches its visual app purpose, but its default helper scripts can expose local app files beyond localhost and forcibly stop unrelated processes on a chosen port.
Review this skill before installing if you run other services locally or store private data in Canvas apps. Prefer changing the helper to bind the server to 127.0.0.1 and avoid using ports that may belong to other programs.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Files in the selected app directory, including any app state, may be reachable beyond the intended Canvas view if the server listens on other network interfaces.
The helper starts Python's HTTP server for the whole selected app directory without an explicit loopback bind such as --bind 127.0.0.1, despite the documentation framing the flow as localhost-only.
cd "$APPS_DIR/$APP_NAME" python3 -m http.server $PORT > /dev/null 2>&1 &
Bind the server explicitly to 127.0.0.1, document the exposure clearly, and avoid placing sensitive data in served app directories.
Opening an app could terminate an unrelated local service or development server using the same port, potentially causing lost work or service disruption.
The default open flow forcibly kills any process listening on the chosen port before checking whether it belongs to Canvas-OS.
lsof -ti:$PORT 2>/dev/null | xargs kill -9 2>/dev/null
Track and stop only Canvas-OS-owned PIDs, prefer a graceful termination signal, and ask the user before killing an unknown process.
Untrusted HTML or data rendered through this path could run script inside the Canvas page.
Direct JavaScript evaluation and document.write injection are an intended Canvas rendering method, but they execute whatever HTML/JS the app content contains.
canvas.eval(javaScript='document.open(); document.write(`<html>...</html>`); document.close();')
Use trusted templates and app data, sanitize untrusted content before injecting it, and avoid rendering arbitrary remote HTML.
Buttons or app code can prompt the agent with commands, so a malicious or poorly reviewed app could try to steer the agent through the UI channel.
The template uses deep links so Canvas apps can send messages back to the agent; this is disclosed and central to two-way interaction, but origin and approval handling are not described in the template.
window.location.href = 'openclaw://agent?message=' + encodeURIComponent(msg);
Treat app-originated messages as untrusted requests, require user confirmation for consequential actions, and review custom app code before running it.
Information placed in app state can remain on disk and may later be reused or served by the app workflow.
The skill documents persistent local app state as part of its app layout.
data.json # Persistent state
Do not store secrets or highly sensitive personal data in Canvas app state unless you understand where it is saved and how to delete it.