Canvas Os 1.0.1

v1.0.0

Canvas as an app platform. Build, store, and run rich visual apps on the OpenClaw Canvas.

⭐ 0· 717·4 current·4 all-time

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for knightluozichu/canvas-os-1-0-1.

Previewing Install & Setup.

Prompt PreviewInstall & Setup

Install the skill "Canvas Os 1.0.1" (knightluozichu/canvas-os-1-0-1) from ClawHub.
Skill page: https://clawhub.ai/knightluozichu/canvas-os-1-0-1
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Required binaries: python3
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Canonical install target

openclaw skills install knightluozichu/canvas-os-1-0-1

ClawHub CLI

Package manager switcher

npx clawhub@latest install canvas-os-1-0-1

Security Scan

VirusTotal

Suspicious

View report →

OpenClaw

Suspicious

medium confidence

Purpose & Capability

The skill's stated purpose (serve and inject Canvas apps) is coherent with the included files and scripts, but the declared requirements only list python3 while the scripts and instructions rely on several other command-line tools and the openclaw CLI (lsof, curl, jq, openclaw). Those tooling expectations are not declared, which is an incoherence a user should know about.

Instruction Scope

SKILL.md instructs running a local http.server, navigating Canvas via openclaw nodes canvas navigate, and injecting arbitrary HTML/JS via canvas eval/document.write. That allows arbitrary JavaScript to run inside Canvas and apps can call deep links (openclaw://agent?message=...) to send commands back to the agent — a legitimate feature for two-way UI, but it also expands the attack surface (untrusted HTML/JS could attempt to prompt the agent to take actions). The instructions also reference reading app files from the user's workspace (~/.openclaw/workspace/apps), which is consistent with the skill's purpose.

✓

Install Mechanism

No install spec is provided (instruction-only plus bundled helper scripts), so nothing is downloaded or executed during install. This is lower risk; the included scripts will only run if the user/agent executes them.

Credentials

The skill declares no required environment variables or credentials, which matches the lack of network/service integrations. However, scripts implicitly rely on environment items (HOME, optional CANVAS_APPS_DIR) and on the presence of the openclaw CLI and utilities (jq, lsof, curl). The absence of these from requires.env / requires.bins is an inconsistency and could hide implicit privilege/assumptions.

✓

Persistence & Privilege

always:false and normal autonomous invocation are used. The skill writes transient PID files in /tmp to manage local servers (expected behavior). It does not request persistent system-wide privileges or modify other skills' configurations.

What to consider before installing

This skill appears to implement a Canvas app platform and includes helper scripts and HTML templates that match that purpose, but proceed with care: - Missing declared tools: the scripts call openclaw, lsof, curl and jq but the metadata only lists python3. Ensure those tools are present and you understand their use before running the scripts. - Arbitrary JS injection: the skill injects HTML/JS into Canvas via eval/document.write. Only display HTML you trust — injected JS can communicate back to the agent via deep links (openclaw://agent?...), which could cause the agent to act on messages authored by the app. - Local servers & ports: the open-app.sh script starts a local http.server and kills processes on ports (kill -9 via lsof). That behavior is expected for serving apps but review it before running on sensitive machines and be aware of potential port conflicts. - Review templates: included HTML templates are benign-looking, but if you plan to use third-party or user-supplied HTML, audit it for scripts that could trigger agent actions or exfiltrate data. If you want to install/use this skill: verify the openclaw CLI and required utilities are available, run the helper scripts in a controlled environment first, and avoid injecting untrusted HTML into Canvas. If the author intended the skill to require additional binaries, ask them to update the metadata to declare them explicitly.

Like a lobster shell, security has layers — review code before you run it.

Runtime requirements

🖥️ Clawdis

Binspython3

latestvk970xgw2azbaw62qjr04sf09x9812xre

717downloads

0stars

1versions

Updated 10h ago

v1.0.0

MIT-0

Canvas OS

Canvas as an app platform. Build, store, and run rich visual apps on the OpenClaw Canvas.

Philosophy

You are an OS. Canvas is the window. Apps are built locally and run on Canvas.

Rich HTML/CSS/JS UIs — not just text. Full interactivity, animations, live data.

Quick Commands

Command	What Jarvis Does
"Open [app]"	Start server, navigate Canvas, inject data
"Build me a [type]"	Create app from template, open it
"Update [element]"	Inject JS to modify live
"Show [data] on canvas"	Quick A2UI display
"Close canvas"	Stop server, hide Canvas

How It Works

Key principle: Apps run on Canvas, not in a browser tab. Canvas is your UI window.

Canvas Loading Methods

Canvas has security restrictions that block file path access. Three methods work:

Method	When to Use	Pros	Cons
Localhost Server	Complex apps, external assets	Full browser features	Requires port management
Direct HTML Injection	Quick displays, demos	Instant, no server needed	No external assets, size limit
Data URLs	Small content	Self-contained	Unreliable on some systems

❌ Does NOT work: file:///path/to/file.html (blocked by Canvas security)

📖 See: CANVAS-LOADING.md for detailed guide + troubleshooting

Helper script: canvas-inject.py — Formats HTML for direct injection

1. Apps are HTML/CSS/JS files

~/.openclaw/workspace/apps/[app-name]/
├── index.html    # The UI (self-contained recommended)
├── data.json     # Persistent state
└── manifest.json # App metadata

2. Serve via localhost

cd ~/.openclaw/workspace/apps/[app-name]
python3 -m http.server [PORT] > /dev/null 2>&1 &

3. Navigate Canvas to localhost

NODE="Your Node Name"  # Get from: openclaw nodes status
openclaw nodes canvas navigate --node "$NODE" "http://localhost:[PORT]/"

Important: This opens the app on Canvas (the visual panel), NOT in a browser.

4. Agent injects data via JS eval

openclaw nodes canvas eval --node "$NODE" --js "app.setData({...})"

Note: The openclaw-canvas:// URL scheme has issues in current OpenClaw versions. Use http://localhost: instead.

Opening an App

What this does: Displays the app on Canvas (the visual panel), not in a browser tab.

Method 1: Localhost Server (Recommended for Complex Apps)

Full sequence:

NODE="Your Node Name"
PORT=9876
APP="my-app"

# 1. Kill any existing server on the port
lsof -ti:$PORT | xargs kill -9 2>/dev/null

# 2. Start server
cd ~/.openclaw/workspace/apps/$APP
python3 -m http.server $PORT > /dev/null 2>&1 &

# 3. Wait for server
sleep 1

# 4. Navigate Canvas
openclaw nodes canvas navigate --node "$NODE" "http://localhost:$PORT/"

# 5. Inject data
openclaw nodes canvas eval --node "$NODE" --js "app.loadData({...})"

Method 2: Direct HTML Injection (For Quick Displays)

When to use: File paths don't work in Canvas (security sandboxing). Data URLs can be unreliable. Use this for instant displays without localhost.

# Example using canvas tool
canvas.present(url="about:blank", target=node_name)

html_content = """<!DOCTYPE html>
<html>
<head>
    <style>
        body { background: #667eea; color: white; padding: 40px; }
        .card { background: white; color: #333; padding: 30px; border-radius: 16px; }
    </style>
</head>
<body>
    <div class="card">
        <h1>Your Content Here</h1>
    </div>
</body>
</html>"""

# Escape backticks and inject
js_code = f"""document.open();
document.write(`{html_content}`);
document.close();"""

canvas.eval(javaScript=js_code, target=node_name)

Key limitation: File paths (file:///path/to/file.html) are blocked in Canvas for security. Always use localhost or direct injection.

Building Apps

App API Convention

Every app should expose a window.app or window.[appname] object:

window.app = {
  // Update values
  setValue: (key, val) => {
    document.getElementById(key).textContent = val;
  },
  
  // Bulk update
  loadData: (data) => { /* render all */ },
  
  // Notifications
  notify: (msg) => { /* show toast */ }
};

Two-Way Communication

Apps send commands back via deep links:

function sendToAgent(message) {
  window.location.href = `openclaw://agent?message=${encodeURIComponent(message)}`;
}

// Button click → agent command
document.getElementById('btn').onclick = () => {
  sendToAgent('Refresh my dashboard');
};

Templates

Dashboard

Stats cards, progress bars, lists. Self-contained HTML.

Default port: 9876
API: dashboard.setRevenue(), dashboard.setProgress(), dashboard.notify()

Tracker

Habits/tasks with checkboxes and streaks. Self-contained HTML.

Default port: 9877
API: tracker.setItems(), tracker.addItem(), tracker.toggleItem()

Quick Display (A2UI)

For temporary displays without a full app:

openclaw nodes canvas a2ui push --node "$NODE" --text "
📊 QUICK STATUS

Revenue: \$500
Users: 100

Done!
"

Port Assignments

App Type	Default Port
Dashboard	9876
Tracker	9877
Timer	9878
Display	9879
Custom	9880+

Design System

:root {
  --bg-primary: #0a0a0a;
  --bg-card: #1a1a2e;
  --accent-green: #00d4aa;
  --accent-blue: #4a9eff;
  --accent-orange: #f59e0b;
  --text-primary: #fff;
  --text-muted: #888;
  --border: #333;
}

Best Practices

Self-contained HTML — Inline CSS/JS for portability
Dark theme — Match OpenClaw aesthetic
Expose app API — Let agent update via window.app.*
Use IDs — On elements the agent will update
Live clock — Shows the app is alive
Deep links — For two-way communication

Troubleshooting

App opens in browser instead of Canvas?

Make sure you're using openclaw nodes canvas navigate, not just open
Canvas navigate targets the Canvas panel specifically

"Not Found" on Canvas?

File paths don't work: Canvas blocks file:/// URLs for security (sandboxing)
Data URLs may fail: Use direct HTML injection via canvas eval + document.write() instead
For localhost: Verify server is running: curl http://localhost:[PORT]/
Check port is correct
Use http://localhost: not openclaw-canvas:// (URL scheme has issues)

Canvas shows "Not Found" even with correct URL?

This is a security boundary: Canvas can't access local filesystem
Solution: Use Method 2 (Direct HTML Injection) from "Opening an App" section
Or serve via localhost (Method 1)

App not updating?

Check window.app API is defined: openclaw nodes canvas eval --js "typeof window.app"
Verify JS eval syntax: single quotes inside double quotes

Server port already in use?

Kill existing: lsof -ti:[PORT] | xargs kill -9

Helper Scripts

canvas-inject.py

Python helper for direct HTML injection (Method 2).

# Example usage in Python
from canvas_inject import inject_html_to_canvas

html = open("my-dashboard.html").read()
commands = inject_html_to_canvas(html, node_name="Your Node")

# Then use canvas tool with these commands
canvas.present(**commands["step1_present"])
canvas.eval(**commands["step2_inject"])