Canvas
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: canvas Version: 1.0.0 The skill is classified as suspicious due to several high-risk capabilities that could be exploited as vulnerabilities. Primarily, the `eval` action allows arbitrary JavaScript execution within the WebView, posing a significant client-side vulnerability (e.g., XSS, potential data exfiltration if the WebView has access to local resources). Additionally, the skill serves local files from a configurable root directory (`canvasHost.root`), which could be misused to expose sensitive data if an attacker can control the directory or inject malicious files. The server's ability to bind to LAN or Tailscale further increases the attack surface for these potential exploits. While these capabilities are presented as features, they represent critical attack vectors if not properly secured at the agent or user input level.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
An agent using the skill could display or change content on a connected device and capture a screenshot of the canvas view.
The skill exposes remote actions that affect a connected node's canvas. This is the stated purpose, but users should be aware that it can change what a node displays and capture the canvas contents.
| `present` | Show canvas with optional target URL | ... | `navigate` | Navigate to a new URL | ... | `snapshot` | Capture screenshot of canvas |
Use it only with intended nodes and trusted URLs, and avoid showing sensitive information in the canvas unless snapshot behavior is acceptable.
JavaScript run through this action can alter the page shown in the connected node's canvas.
The skill documents a JavaScript eval action inside the canvas WebView. This is purpose-aligned for interactive HTML control, but it is still code execution within the rendered page context.
| `eval` | Execute JavaScript in the canvas |
Run eval only against trusted canvas content and confirm the intended node and page before executing scripts.
Files placed in the canvas root may be made available to connected nodes through the chosen bind mode.
The canvas host can serve files from the configured root directory over local network or Tailscale addresses so connected nodes can load them. This data flow is disclosed and aligned with the skill's purpose.
Serves static HTML/CSS/JS files from `canvasHost.root` directory ... `lan` ... LAN IP address ... `tailnet` ... Tailscale hostname ... `auto` ... Tailscale > LAN > loopback
Keep the canvas root limited to files intended for display and choose loopback, LAN, or Tailscale binding according to the desired exposure.
A mistaken or unwanted file change in the canvas root could immediately update what connected nodes display.
Live reload can propagate local file changes to connected canvases automatically. This is useful for development and is disclosed, but users should notice the automatic update behavior.
When `liveReload: true` (default), the canvas host ... Automatically reloads connected canvases when files change
Disable live reload or hide the canvas when working with unfinished or sensitive content.