Canvas Skill
Display HTML content on connected OpenClaw nodes (Mac app, iOS, Android).
67/100
Security score
The Canvas Skill skill was audited on Feb 28, 2026 and we found 11 security issues across 3 threat categories, including 1 high-severity. Review the findings below before installing.
Categories Tested
Security Issues
high line 161
Curl to non-GitHub URL
SourceSKILL.md
| 161 | 3. Test URL directly: `curl http://<hostname>:18793/__openclaw__/canvas/<file>.html` |
medium line 60
Access to hidden dotfiles in home directory
SourceSKILL.md
| 60 | In `~/.openclaw/openclaw.json`: |
low line 109
Access to hidden dotfiles in home directory
SourceSKILL.md
| 109 | cat ~/.openclaw/openclaw.json | jq '.gateway.bind' |
medium line 159
Access to hidden dotfiles in home directory
SourceSKILL.md
| 159 | 1. Check server bind: `cat ~/.openclaw/openclaw.json | jq '.gateway.bind'` |
low line 43
External URL reference
SourceSKILL.md
| 43 | http://<tailscale-hostname>:18793/__openclaw__/canvas/<file>.html |
low line 114
External URL reference
SourceSKILL.md
| 114 | - **loopback**: `http://127.0.0.1:18793/__openclaw__/canvas/<file>.html` |
low line 115
External URL reference
SourceSKILL.md
| 115 | - **lan/tailnet/auto**: `http://<hostname>:18793/__openclaw__/canvas/<file>.html` |
low line 140
External URL reference
SourceSKILL.md
| 140 | canvas action:present node:mac-63599bc4-b54d-4392-9048-b97abd58343a target:http://peters-mac-studio-1.sheep-coho.ts.net:18793/__openclaw__/canvas/snake.html |
low line 161
External URL reference
SourceSKILL.md
| 161 | 3. Test URL directly: `curl http://<hostname>:18793/__openclaw__/canvas/<file>.html` |
low line 186
External URL reference
SourceSKILL.md
| 186 | http://<host>:18793/__openclaw__/canvas/index.html → ~/clawd/canvas/index.html |
low line 187
External URL reference
SourceSKILL.md
| 187 | http://<host>:18793/__openclaw__/canvas/games/snake.html → ~/clawd/canvas/games/snake.html |
Scanned on Feb 28, 2026
View Security Dashboard