Trust Assessment
canvas-os received a trust score of 55/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 5 findings: 1 critical, 2 high, 1 medium, and 1 low severity. Key findings include Sensitive environment variable access: $HOME, Node lockfile missing, Client-side JavaScript Injection via `canvas.eval`.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 40/100, indicating areas for improvement.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings5
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Unsanitized user input in `open-app.sh` leads to Critical Command Injection and Path Traversal The `open-app.sh` script takes `APP_NAME`, `PORT`, and `NODE` as command-line arguments without proper sanitization, leading to multiple critical vulnerabilities:
1. **Command Injection (PORT)**: `PORT` is used in `lsof -ti:$PORT`, `python3 -m http.server $PORT`, `curl -s "http://localhost:$PORT/"`, and `openclaw nodes canvas navigate ... "http://localhost:$PORT/"`. An attacker can inject shell metacharacters (e.g., `80; rm -rf /;`) into the `PORT` argument, leading to arbitrary command execution.
2. **Path Traversal (APP_NAME)**: `APP_NAME` is used in `cd "$APPS_DIR/$APP_NAME"` and `echo $SERVER_PID > "/tmp/canvas-app-$APP_NAME.pid"`. An attacker can provide `APP_NAME` like `../etc` to change directory to an arbitrary location or `../root/.ssh/authorized_keys` to write the PID to a sensitive file, potentially overwriting it.
3. **Command Injection (NODE)**: `NODE` is used in `openclaw nodes canvas navigate --node "$NODE"`. If `NODE` contains shell metacharacters, it could lead to arbitrary command execution. 1. **PORT**: Validate `PORT` to ensure it is a valid numeric port number (e.g., `^[0-9]+$`). 2. **APP_NAME**: Validate `APP_NAME` to ensure it only contains alphanumeric characters, hyphens, and underscores, and does not contain path traversal sequences like `../`. 3. **NODE**: Sanitize `NODE` by escaping or disallowing shell metacharacters. Use `printf %q` to properly quote the variable if it's passed to another shell command, or ensure the `openclaw` command has a mechanism to safely handle arguments. | LLM | open-app.sh:5 | |
| HIGH | Client-side JavaScript Injection via `canvas.eval` The `inject_html_to_canvas` function in `canvas-inject.py` constructs a JavaScript string using user-provided `html_content` and passes it to `canvas.eval`. Although backticks are escaped, arbitrary HTML and JavaScript can still be injected into the Canvas environment. If `html_content` originates from an untrusted source, this allows for Cross-Site Scripting (XSS)-like attacks within the Canvas, potentially leading to data exfiltration from the Canvas context, UI defacement, or other malicious client-side actions. Ensure that `html_content` passed to `inject_html_to_canvas` is always from a trusted source or is rigorously sanitized to remove any active content (scripts, event handlers, etc.) before injection. Consider using a DOM parser to sanitize HTML rather than simple string escaping. If the intent is to display untrusted content, it should be rendered in a sandboxed iframe or with a strict Content Security Policy (CSP). | LLM | canvas-inject.py:20 | |
| HIGH | Unsanitized user input in `close-app.sh` leads to Command Injection and Path Traversal The `close-app.sh` script takes `APP_NAME` and `NODE` as command-line arguments without proper sanitization. This leads to:
1. **Path Traversal (APP_NAME)**: `APP_NAME` is used to construct `PID_FILE="/tmp/canvas-app-$APP_NAME.pid"`. An attacker can provide `APP_NAME` like `../etc/passwd` to attempt to delete arbitrary files (e.g., `rm /tmp/canvas-app-../etc/passwd.pid` would try to delete `/etc/passwd`).
2. **Command Injection (NODE)**: `NODE` is used in `openclaw nodes canvas hide --node "$NODE"`. If `NODE` contains shell metacharacters (e.g., `my_node"; rm -rf /; echo "`), it could lead to arbitrary command execution on the host system. 1. **APP_NAME**: Validate `APP_NAME` to ensure it only contains alphanumeric characters, hyphens, and underscores, and does not contain path traversal sequences like `../`. 2. **NODE**: Sanitize `NODE` by escaping or disallowing shell metacharacters. Alternatively, use `printf %q` to properly quote the variable if it's passed to another shell command, or ensure the `openclaw` command has a mechanism to safely handle arguments. | LLM | close-app.sh:5 | |
| MEDIUM | Sensitive environment variable access: $HOME Access to sensitive environment variable '$HOME' detected in shell context. Verify this environment variable access is necessary and the value is not exfiltrated. | Static | skills/fraction12/canvas-os/open-app.sh:8 | |
| LOW | Node lockfile missing package.json is present but no lockfile was found (package-lock.json, pnpm-lock.yaml, or yarn.lock). Commit a lockfile for deterministic dependency resolution. | Dependencies | skills/fraction12/canvas-os/package.json |
Scan History
Embed Code
[](https://skillshield.io/report/7f62185f7931511d)
Powered by SkillShield