ClawHub
Back to skill
v1.0.0

Canvas Os 1.0.1

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 5:41 AM.

Analysis

Canvas OS is mostly a coherent Canvas UI skill, but it should be reviewed because it can run local web servers, inject JavaScript, terminate port listeners, and let Canvas apps send messages back to the agent.

GuidanceReview the helper scripts before installing. Use only trusted local Canvas apps, avoid path-like app names, do not serve sensitive directories, confirm before killing any existing port listener, and treat messages from Canvas apps as untrusted unless you explicitly approve them.

Findings (4)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation
SeverityMediumConfidenceHighStatusConcern
open-app.sh
APP_NAME="${1:-my-app}"
PORT="${2:-9876}"
...
lsof -ti:$PORT 2>/dev/null | xargs kill -9 2>/dev/null
...
cd "$APPS_DIR/$APP_NAME"
python3 -m http.server $PORT > /dev/null 2>&1 &

The helper takes app name and port from arguments, kills any listener on that port, then serves the resulting path without canonicalizing it under the intended apps directory.

User impactOpening an app could terminate an unrelated local service on that port, and a path-like app name could cause the helper to serve a directory outside the intended Canvas apps folder.
RecommendationRestrict app names to safe slugs, realpath-check that the target stays under the apps directory, bind the server only as needed, and confirm before terminating any existing process.
Unexpected Code Execution
SeverityLowConfidenceHighStatusNote
CANVAS-LOADING.md
canvas.present(url="about:blank")
canvas.eval(javaScript='document.open(); document.write(`<html>...</html>`); document.close();')

Direct JavaScript evaluation and document.write injection are explicitly part of the Canvas rendering approach. This is purpose-aligned, but it means supplied HTML/JS must be trusted or sanitized.

User impactIf untrusted HTML or unescaped data is injected, it can run inside the Canvas page and potentially interact with the app-to-agent messaging flow.
RecommendationInject only trusted HTML/JS, escape dynamic data before placing it in HTML, and avoid rendering third-party content through eval/document.write without review.
Agentic Supply Chain Vulnerabilities
SeverityLowConfidenceHighStatusNote
open-app.sh
openclaw nodes status --json 2>/dev/null | jq -r '.nodes[0].displayName' ...
lsof -ti:$PORT ...
curl -s "http://localhost:$PORT/"

The registry requirements declare only python3, but the runnable helper also relies on openclaw, jq, lsof, and curl. This is purpose-aligned, but the runtime assumptions are under-declared.

User impactThe helper may fail or behave differently depending on local tools that were not declared as requirements.
RecommendationUpdate requirements to list all needed tools and verify the publisher/source before running the included helper scripts.
Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Insecure Inter-Agent Communication
SeverityMediumConfidenceHighStatusConcern
SKILL.md
Apps send commands back via deep links:
function sendToAgent(message) {
  window.location.href = `openclaw://agent?message=${encodeURIComponent(message)}`;
}

// Button click → agent command

Canvas app JavaScript can create messages to the agent, but the artifacts do not define origin checks, permissions, or confirmation requirements for those app-originated commands.

User impactA Canvas app or injected UI content could steer the agent through deep-link messages unless the agent treats those messages as untrusted app events rather than direct user instructions.
RecommendationRequire user confirmation for app-originated commands, label them with the app origin, and allowlist low-risk commands instead of accepting arbitrary message text.