canvas
Pass
Audited by Gen Agent Trust Hub on Mar 6, 2026
Risk Level: SAFECOMMAND_EXECUTIONDATA_EXFILTRATION
Full Analysis
- [COMMAND_EXECUTION]: The skill documentation describes an
evalaction that allows the execution of arbitrary JavaScript within the canvas environment on connected nodes (Mac, iOS, Android). This dynamic execution capability allows the agent to interact with the target device's WebView at a code level. - [DATA_EXFILTRATION]: The
snapshotaction enables the agent to capture screenshots of the active canvas. If the canvas is used to display sensitive data, this action could be leveraged to extract visual information from the device. - [COMMAND_EXECUTION]: The documentation references the use of several system-level CLI tools for configuration and diagnostics, including
jq,sed,lsof,curl, andtailscale. - [INDIRECT_PROMPT_INJECTION]: The skill has an attack surface for indirect injection as it serves and processes HTML/JS files from the local file system.
- Ingestion points: Files are read from the user-defined
canvasHost.rootdirectory (defaulting to~/clawd/canvas/) and configuration is read from~/.clawdbot/moltbot.json. - Boundary markers: No explicit boundary markers or instructions to ignore embedded commands are documented for the HTML/JS content being served.
- Capability inventory: The skill possesses
eval(JavaScript execution),snapshot(screen capture), andpresent/navigate(URL rendering) capabilities. - Sanitization: There is no mention of sanitization or validation of the HTML/JS content before it is rendered or evaluated in the target WebView.
Audit Metadata