Back to skill
Skillv1.0.0
VirusTotal security
Canvas Os 1.0.1 · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
ReviewMay 1, 2026, 3:58 AM
- Hash
- f7460a6a54b88e09e0f0eed1cc5793406a6b84aa40a87ee35252d4eda7b5972c
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: canvas-os-1-0-1 Version: 1.0.0 The `open-app.sh` script contains a shell injection vulnerability. The `APP_NAME` variable, which is derived from user input or agent parameters, is used directly in `cd "$APPS_DIR/$APP_NAME"` without proper sanitization. This could allow an attacker to perform directory traversal (e.g., `../../../../etc`) to serve sensitive files via `python3 -m http.server` or execute arbitrary commands if shell metacharacters are included in `APP_NAME`. This is a significant vulnerability, but there is no clear evidence of intentional malicious design to exploit it, rather it appears to be a lack of input validation.
- External report
- View on VirusTotal