canvas
Pass
Audited by Gen Agent Trust Hub on May 18, 2026
Risk Level: SAFEREMOTE_CODE_EXECUTION
Full Analysis
- [REMOTE_CODE_EXECUTION]: The skill provides an
evalaction which allows the execution of arbitrary JavaScript within the context of the canvas WebView. While this is a powerful capability, it is explicitly documented as a feature for debugging and interacting with the rendered content. - [EXTERNAL_DOWNLOADS]: The
presentandnavigateactions allow the agent to load content from external URLs. This is a core function of the skill for displaying remote web content on connected nodes. - [COMMAND_EXECUTION]: The skill manages a local Gateway and host server that serves files from a user-specified root directory (
~/.openclaw/canvas). This allows the agent to serve locally generated or existing files to the canvas nodes.
Audit Metadata