π₯οΈ Canvas-OS
v1.0.1Canvas as an app platform. Build, store, and run rich visual apps on the OpenClaw Canvas.
β 7Β· 2.5kΒ·15 currentΒ·16 all-time
MIT-0
Download zip
LicenseMIT-0 Β· Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
Name/description claim 'Canvas as an app platform' and included files (templates, open/close scripts, canvas-inject.py) align: the skill needs python3 to serve apps via http.server, navigate Canvas, and inject HTML/JS. No unrelated binaries or credentials are requested.
Instruction Scope
SKILL.md and scripts instruct the agent to start a localhost server, navigate Canvas to http://localhost:PORT, and/or inject arbitrary HTML via document.write() using canvas eval. This is coherent with the purpose, but it inherently allows arbitrary JS to run inside Canvas (including code that issues openclaw:// deep links or loads external resources). That capability can be used for legitimate two-way communication but also can be abused to exfiltrate data or trigger agent actions if untrusted HTML is opened.
Install Mechanism
There is no install spec that downloads remote code; repository is instruction-and-file based. All code is provided in the package (shell scripts, Python helper, templates). No external URLs, archives, or network installs are performed by the skill itself.
Credentials
The skill requires only python3 (declared). There are no required environment variables or credentials; an optional CANVAS_APPS_DIR env var is referenced for app location. No unexplained secrets or cross-service credentials are requested.
Persistence & Privilege
always:false and default model invocation settings are conservative. The scripts write PID files to /tmp and start/stop local servers but do not modify other skills or system-wide agent configs. Note: if the agent is allowed to invoke skills autonomously, the ability to inject HTML/JS that can call openclaw:// deep links increases the blast radiusβthis is expected behavior for this skill but worth considering in your agent policy.
Assessment
This skill is internally consistent and does what it claims, but it enables running arbitrary HTML/JS inside the Canvas sandbox. Before installing or opening apps: 1) Only open templates or HTML you trust β review app HTML/JS for network calls, eval() usage, and openclaw:// deep links. 2) Prefer running new/untrusted apps in a disposable environment (separate user account or VM) and bind them to non-sensitive ports. 3) Verify that your agent will not automatically act on openclaw:// messages in a risky way (check agent policies or disable autonomous invocation if you want manual control). 4) The scripts start/kill local servers and write PID files to /tmp β ensure these behaviors are acceptable and modify scripts if you need stricter process isolation. 5) If you plan to allow other users to provide apps, audit their code for exfiltration (fetch/XHR/fetch to external hosts) and for deep link triggers. If you want help hardening usage patterns (sanitizing templates, running in a sandbox, or adding confirmation prompts for agent actions triggered by apps), ask and I can provide concrete changes.Like a lobster shell, security has layers β review code before you run it.
latestvk973wpjbz2128v95r79c9x01nd80cj6t
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
π₯οΈ Clawdis
Binspython3