Canvas Os 1.0.1
PassAudited by ClawScan on May 10, 2026.
Overview
Canvas OS appears purpose-aligned for building Canvas apps, with no evidence of credential theft or exfiltration, but it uses JavaScript injection, local servers, and app-to-agent callbacks that should only run trusted content.
This skill is reasonable to install if you want Canvas-based local apps and trust the publisher. Review any app HTML/JS before running it, avoid putting sensitive data in served app folders, use dedicated localhost ports, close background servers when done, and verify the publisher/version because the supplied metadata is inconsistent.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Untrusted HTML or JavaScript displayed through this workflow could run inside the Canvas page and manipulate the UI.
The skill intentionally injects HTML through JavaScript eval/document.write in Canvas. This is central to the stated UI purpose, but it means app content is executed in the Canvas context.
canvas.present(url="about:blank") canvas.eval(javaScript='document.open(); document.write(`<html>...</html>`); document.close();')
Only inject trusted generated apps or reviewed HTML/JS, and sanitize untrusted data before rendering it into templates.
A trusted app button can conveniently ask the agent to act, but a malicious or poorly reviewed app could send misleading agent commands.
Canvas apps can send messages back to the agent via an openclaw:// deep link. This is disclosed as two-way communication, but the app content becomes a source of agent instructions.
function sendToAgent(msg) { window.location.href = 'openclaw://agent?message=' + encodeURIComponent(msg); }Use only trusted Canvas apps and require confirmation before the agent performs consequential actions triggered by app-originated messages.
If another local service is using the selected port, it could be stopped; while the server is running, files in the selected app directory are being served.
Opening an app automatically kills any process on the chosen port and starts a background HTTP server for the selected app directory. This is purpose-aligned but has local side effects.
lsof -ti:$PORT 2>/dev/null | xargs kill -9 2>/dev/null ... python3 -m http.server $PORT > /dev/null 2>&1 &
Use dedicated Canvas OS ports, check what is running before killing a port, bind the server to loopback where possible, and close the app server when finished.
It may be harder to confirm exactly which publisher and version you are installing.
The supplied registry metadata lists a different owner ID and version than _meta.json, and package.json also lists version 1.0.0. This is a provenance/version consistency gap, not direct evidence of unsafe behavior.
"ownerId": "kn7644c3fqt3fpbtf5hm1z2zn580cmkh", "slug": "canvas-os", "version": "1.0.1"
Verify the ClawHub page, publisher, and repository before installing or relying on this skill.