Canvas Skill

Enables display of HTML content on OpenClaw-connected nodes, perfect for interactive demos and visualizations.

Install this skill

53/100

Security score

The Canvas Skill skill was audited on May 12, 2026 and we found 11 security issues across 4 threat categories, including 2 high-severity. Review the findings below before installing.

Categories Tested

Security Issues

medium line 108

Template literal with variable interpolation in command context

SourceSKILL.md

108

```bash

high line 160

Template literal with variable interpolation in command context

SourceSKILL.md

160	1. Check server bind: `CONFIG_PATH="${OPENCLAW_CONFIG_PATH:-${OPENCLAW_STATE_DIR:-$HOME/.openclaw}/openclaw.json}"; cat "$CONFIG_PATH" \| jq '.gateway.bind'`

high line 162

Curl to non-GitHub URL

SourceSKILL.md

162	3. Test URL directly: `curl http://<hostname>:18793/__openclaw__/canvas/<file>.html`

medium line 60

Access to hidden dotfiles in home directory

SourceSKILL.md

60	In the active OpenClaw config file (`$OPENCLAW_CONFIG_PATH`, default `~/.openclaw/openclaw.json`):

low line 43

External URL reference

SourceSKILL.md

43	http://<tailscale-hostname>:18793/__openclaw__/canvas/<file>.html

low line 115

External URL reference

SourceSKILL.md

115	- loopback: `http://127.0.0.1:18793/__openclaw__/canvas/<file>.html`

low line 116

External URL reference

SourceSKILL.md

116	- lan/tailnet/auto: `http://<hostname>:18793/__openclaw__/canvas/<file>.html`

low line 141

External URL reference

SourceSKILL.md

141	canvas action:present node:mac-63599bc4-b54d-4392-9048-b97abd58343a target:http://peters-mac-studio-1.sheep-coho.ts.net:18793/__openclaw__/canvas/snake.html

low line 162

External URL reference

SourceSKILL.md