ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Claw Canvas

v1.0.0

A virtual canvas for OpenClaw to output content and visualize its thinking during development.

0· 408·1 current·1 all-time
by@austindixson
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The name/description match the code: the CLI sends markdown to openclaw.default_api.canvas to present content. However SKILL.md advertises additional features (display_image, progress, snapshot, interactive thinking) that are not implemented in scripts/canvas_cli.py (only display_markdown exists). This is an inconsistency but not evidence of malicious behavior.
Instruction Scope
Runtime instructions are narrowly scoped to invoking the CLI to display content. The SKILL.md examples include an image-display command that the included CLI does not implement; otherwise the instructions do not request files, credentials, or unrelated system data. The CLI calls default_api.canvas — review what that API does in your runtime because the script delegates output handling to it.
Install Mechanism
No install spec and only a small Python script are included. Nothing is downloaded or written during install by this package itself.
Credentials
No environment variables, credentials, or config paths are required. The only dependency is the presence of an openclaw.default_api object at runtime (expected for an OpenClaw skill).
Persistence & Privilege
The skill does not request always:true, does not modify other skills or global configuration, and has no install-time persistence instructions.
Assessment
This appears to be a small, legitimate helper that forwards content to the agent's canvas API. Before installing: (1) verify what openclaw.default_api.canvas does in your runtime (does it store, forward, or expose canvas contents externally?), (2) note that the SKILL.md advertises image/progress features that the included script does not implement — if you need those, request or inspect an updated implementation, (3) test the CLI in a safe environment to confirm behavior and output destinations, and (4) if you are concerned about sensitive content being shown, avoid sending secrets to the canvas and confirm any viewers/servers that can access canvas contents.

Like a lobster shell, security has layers — review code before you run it.

latestvk97fzzkx59qrhyk6azpx28kyx181xvk3

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments