agentskill.sh secured

Canvas Skill

Display HTML content on connected OpenClaw nodes (Mac app, iOS, Android).

@openclaw skills/canvas/SKILL.md GitHub Stars 276,735

Security score

This tab presents tested categories, issue summaries, and source snippets in an audit-style report.

Security score 67/100

Audited on Mar 28, 2026

Audit summary 1 / 2 / 8

High / Medium / Low

Categories 4

Findings 11

Platforms 1

Sources 1

Categories Tested

Instruction boundariesFilesystem writesNetwork referencesPlatform-specific install flow

Security Issues

High Data Exfiltration

Line 161

Curl to non-GitHub URL

Severity: High · Category: Data Exfiltration · Line 161

3. Test URL directly: `curl http://<hostname>:18793/__openclaw__/canvas/<file>.html`

Medium File Access

Line 60

Access to hidden dotfiles in home directory

Severity: Medium · Category: File Access · Line 60

In `~/.openclaw/openclaw.json`:

Low File Access

Line 109

Access to hidden dotfiles in home directory

Severity: Low · Category: File Access · Line 109

cat ~/.openclaw/openclaw.json | jq '.gateway.bind'

Medium File Access

Line 159

Access to hidden dotfiles in home directory

Severity: Medium · Category: File Access · Line 159

1. Check server bind: `cat ~/.openclaw/openclaw.json | jq '.gateway.bind'`

Low External Calls

Line 43

External URL reference

Severity: Low · Category: External Calls · Line 43

http://<tailscale-hostname>:18793/__openclaw__/canvas/<file>.html

Low External Calls

Line 114

External URL reference

Severity: Low · Category: External Calls · Line 114

- **loopback**: `http://127.0.0.1:18793/__openclaw__/canvas/<file>.html`

Low External Calls

Line 115

External URL reference

Severity: Low · Category: External Calls · Line 115

- **lan/tailnet/auto**: `http://<hostname>:18793/__openclaw__/canvas/<file>.html`

Low External Calls

Line 140

External URL reference

Severity: Low · Category: External Calls · Line 140

canvas action:present node:mac-63599bc4-b54d-4392-9048-b97abd58343a target:http://peters-mac-studio-1.sheep-coho.ts.net:18793/__openclaw__/canvas/snake.html

Low External Calls

Line 161

External URL reference

Severity: Low · Category: External Calls · Line 161

3. Test URL directly: `curl http://<hostname>:18793/__openclaw__/canvas/<file>.html`

Low External Calls

Line 186

External URL reference

Severity: Low · Category: External Calls · Line 186

http://<host>:18793/__openclaw__/canvas/index.html → ~/clawd/canvas/index.html

Low External Calls

Line 187

External URL reference

Severity: Low · Category: External Calls · Line 187

http://<host>:18793/__openclaw__/canvas/games/snake.html → ~/clawd/canvas/games/snake.html

Mitigations

Review the upstream repository before copying files into a local skills directory.

Confirm install instructions and supported runtimes against SKILL.md instead of a generic readme.

Canvas Skill

/learn @openclaw/canvas-skill

/learn @openclaw/canvas

Download skill

Open repository Open source tree Inspect SKILL.md

Repo / Meta

Quality and Security stay visible here, on platform pages, and on the homepage.

GitHub Stars: 276,735
Rating: 3.5
Category: Development
Updated: Mar 28, 2026
Repository: openclaw/openclaw
Skill path: skills/canvas/SKILL.md
Platforms: openclaw
Tags: Development, Ai, agentskill.sh, OpenClaw