canvas

No clear signs of embedded malware or intentional data-exfiltration code are present in the provided documentation. The Canvas feature is powerful and by design allows arbitrary web content to be executed on connected devices; this creates a moderate-to-high operational security risk if the host, bridge, operator account, or network are compromised. Key mitigations missing from the documentation include authentication/TLS for the HTTP server and bridge, authorization/consent on nodes for actions (especially eval), guidance to avoid placing sensitive files in the canvas root, and recommendations for logging and access controls. Treat the package as functional but requiring hardening before deployment in untrusted networks.