Canvas Os 1.0.1

Security checks across malware telemetry and agentic risk

Overview

This is a coherent Canvas app runner, but its helper scripts can kill unrelated local processes and may serve unintended folders if given unsafe app names.

Install only if you want a local Canvas app runner and trust the app HTML/JS you will run. Avoid path-like app names, keep sensitive files outside served folders, check ports before opening an app, and do not let app-to-agent messages trigger consequential actions without confirmation.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Behavioral ASTexec() Call, eval() Call, Dynamic Import
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection

Findings (9)

Context-Inappropriate Capability

Medium

Confidence: 92% confidence
Finding: This helper explicitly constructs Canvas `eval` commands that execute JavaScript and inject arbitrary HTML into a presented document via `document.write()`. That creates a direct code/content injection primitive which can be abused for script execution, UI spoofing, credential phishing, or bypassing safer content-loading restrictions; the stated 'workaround for Canvas file path restrictions' makes the capability more suspicious because it is designed to circumvent platform protections rather than use approved rendering paths.

Intent-Code Divergence

Low

Confidence: 80% confidence
Finding: The documentation downplays the real behavior by describing it as HTML injection while the implementation actually emits JavaScript for execution through an `eval` action. This mismatch is dangerous because reviewers or downstream users may underestimate the risk and permit a capability that enables arbitrary DOM/script manipulation in Canvas, increasing the chance of unsafe use or abuse.

Context-Inappropriate Capability

Medium

Confidence: 97% confidence
Finding: The script unconditionally kills any process bound to the requested port using kill -9, regardless of what that process is. This is dangerous because a user-supplied or default port can terminate unrelated services on the host, causing denial of service and potential data loss from abrupt termination.

Vague Triggers

Medium

Confidence: 82% confidence
Finding: The example trigger phrases are very generic and can plausibly match ordinary user requests, which increases the chance the skill is invoked unintentionally. In a skill that can serve local apps, inject JavaScript via eval, and accept commands back from the UI, accidental activation expands the attack surface and could lead to unintended code/data handling.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The README explicitly describes localhost serving, JavaScript eval-based data injection, and bidirectional command flow from apps back to the agent, but provides no safety warning or trust boundary guidance. Those capabilities can enable script injection, unsafe local exposure, or command spoofing if app content or injected data is not strictly controlled, and the lack of warning makes misuse more likely.

Vague Triggers

Medium

Confidence: 85% confidence
Finding: The quick-command phrases are very broad natural-language triggers like "Open [app]", "Build me a [type]", and "Close canvas", which could match normal conversation rather than deliberate skill invocation. In a skill that can launch servers, navigate Canvas, inject JavaScript, and modify UI state, unintended activation could cause unexpected code execution or disruptive interface changes.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The documented workflow includes `lsof -ti:$PORT | xargs kill -9`, which force-kills any process bound to the selected port without validating ownership or warning the user. If triggered on a port used by another application, this can terminate unrelated local services, cause data loss, or disrupt active workflows.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The script reads a PID from a predictable file path derived from untrusted input and immediately issues `kill -9` without validating that the PID belongs to the intended app process. If the PID file is stale, tampered with, or collides with another process, the script can terminate an unrelated process and then delete the evidence by removing the PID file, causing denial of service and complicating recovery.

Missing User Warnings

Medium

Confidence: 98% confidence
Finding: The script force-kills whatever process is listening on the selected port without warning the user that this is a destructive host-level action. In the context of a skill meant to open a Canvas app, that behavior is broader than necessary and can be abused or accidentally triggered to disrupt unrelated local services.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal