canvas
Warn
Audited by Gen Agent Trust Hub on Feb 18, 2026
Risk Level: MEDIUMREMOTE_CODE_EXECUTIONDATA_EXFILTRATIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- REMOTE_CODE_EXECUTION (MEDIUM): The skill provides an 'eval' action that executes arbitrary JavaScript within the WebView of connected nodes. If an agent is influenced by untrusted data to run malicious scripts, this constitutes a remote code execution vector.
- DATA_EXFILTRATION (LOW): The 'snapshot' action allows the agent to capture the visual state of the canvas. This could be used to exfiltrate sensitive information displayed on the screen.
- EXTERNAL_DOWNLOADS (LOW): The skill's 'present' and 'navigate' actions can be used to load content from arbitrary external URLs, potentially exposing the user to malicious websites or tracking.
- PROMPT_INJECTION (LOW): The skill is susceptible to Indirect Prompt Injection (Category 8). 1. Ingestion points: Untrusted data can be introduced through the 'target' and 'url' parameters of the present/navigate actions. 2. Boundary markers: The documentation lacks mention of delimiters or instructions to ignore embedded commands in the processed HTML. 3. Capability inventory: The skill can execute scripts (eval), capture screen data (snapshot), and perform network requests (navigate). 4. Sanitization: No sanitization or Content Security Policy (CSP) measures are described to mitigate risks from loaded content.
Audit Metadata