โ Back to Skills Marketplace
๐ฅ๏ธ Canvas-OS
by
fraction12
ยท GitHub โ
ยท v1.0.1
2769
Downloads
7
Stars
17
Active Installs
2
Versions
Install in OpenClaw
/install canvas-os
Description
Canvas as an app platform. Build, store, and run rich visual apps on the OpenClaw Canvas.
README (SKILL.md)
Canvas OS
Canvas as an app platform. Build, store, and run rich visual apps on the OpenClaw Canvas.
Philosophy
You are an OS. Canvas is the window. Apps are built locally and run on Canvas.
Rich HTML/CSS/JS UIs โ not just text. Full interactivity, animations, live data.
Quick Commands
| Command | What Jarvis Does |
|---|---|
| "Open [app]" | Start server, navigate Canvas, inject data |
| "Build me a [type]" | Create app from template, open it |
| "Update [element]" | Inject JS to modify live |
| "Show [data] on canvas" | Quick A2UI display |
| "Close canvas" | Stop server, hide Canvas |
How It Works
Key principle: Apps run on Canvas, not in a browser tab. Canvas is your UI window.
Canvas Loading Methods
Canvas has security restrictions that block file path access. Three methods work:
| Method | When to Use | Pros | Cons |
|---|---|---|---|
| Localhost Server | Complex apps, external assets | Full browser features | Requires port management |
| Direct HTML Injection | Quick displays, demos | Instant, no server needed | No external assets, size limit |
| Data URLs | Small content | Self-contained | Unreliable on some systems |
โ Does NOT work: file:///path/to/file.html (blocked by Canvas security)
๐ See: CANVAS-LOADING.md for detailed guide + troubleshooting
Helper script: canvas-inject.py โ Formats HTML for direct injection
1. Apps are HTML/CSS/JS files
~/.openclaw/workspace/apps/[app-name]/
โโโ index.html # The UI (self-contained recommended)
โโโ data.json # Persistent state
โโโ manifest.json # App metadata
2. Serve via localhost
cd ~/.openclaw/workspace/apps/[app-name]
python3 -m http.server [PORT] > /dev/null 2>&1 &
3. Navigate Canvas to localhost
NODE="Your Node Name" # Get from: openclaw nodes status
openclaw nodes canvas navigate --node "$NODE" "http://localhost:[PORT]/"
Important: This opens the app on Canvas (the visual panel), NOT in a browser.
4. Agent injects data via JS eval
openclaw nodes canvas eval --node "$NODE" --js "app.setData({...})"
Note: The openclaw-canvas:// URL scheme has issues in current OpenClaw versions. Use http://localhost: instead.
Opening an App
What this does: Displays the app on Canvas (the visual panel), not in a browser tab.
Method 1: Localhost Server (Recommended for Complex Apps)
Full sequence:
NODE="Your Node Name"
PORT=9876
APP="my-app"
# 1. Kill any existing server on the port
lsof -ti:$PORT | xargs kill -9 2>/dev/null
# 2. Start server
cd ~/.openclaw/workspace/apps/$APP
python3 -m http.server $PORT > /dev/null 2>&1 &
# 3. Wait for server
sleep 1
# 4. Navigate Canvas
openclaw nodes canvas navigate --node "$NODE" "http://localhost:$PORT/"
# 5. Inject data
openclaw nodes canvas eval --node "$NODE" --js "app.loadData({...})"
Method 2: Direct HTML Injection (For Quick Displays)
When to use: File paths don't work in Canvas (security sandboxing). Data URLs can be unreliable. Use this for instant displays without localhost.
# Example using canvas tool
canvas.present(url="about:blank", target=node_name)
html_content = """\x3C!DOCTYPE html>
\x3Chtml>
\x3Chead>
\x3Cstyle>
body { background: #667eea; color: white; padding: 40px; }
.card { background: white; color: #333; padding: 30px; border-radius: 16px; }
\x3C/style>
\x3C/head>
\x3Cbody>
\x3Cdiv class="card">
\x3Ch1>Your Content Here\x3C/h1>
\x3C/div>
\x3C/body>
\x3C/html>"""
# Escape backticks and inject
js_code = f"""document.open();
document.write(`{html_content}`);
document.close();"""
canvas.eval(javaScript=js_code, target=node_name)
Key limitation: File paths (file:///path/to/file.html) are blocked in Canvas for security. Always use localhost or direct injection.
Building Apps
App API Convention
Every app should expose a window.app or window.[appname] object:
window.app = {
// Update values
setValue: (key, val) => {
document.getElementById(key).textContent = val;
},
// Bulk update
loadData: (data) => { /* render all */ },
// Notifications
notify: (msg) => { /* show toast */ }
};
Two-Way Communication
Apps send commands back via deep links:
function sendToAgent(message) {
window.location.href = `openclaw://agent?message=${encodeURIComponent(message)}`;
}
// Button click โ agent command
document.getElementById('btn').onclick = () => {
sendToAgent('Refresh my dashboard');
};
Templates
Dashboard
Stats cards, progress bars, lists. Self-contained HTML.
- Default port: 9876
- API:
dashboard.setRevenue(),dashboard.setProgress(),dashboard.notify()
Tracker
Habits/tasks with checkboxes and streaks. Self-contained HTML.
- Default port: 9877
- API:
tracker.setItems(),tracker.addItem(),tracker.toggleItem()
Quick Display (A2UI)
For temporary displays without a full app:
openclaw nodes canvas a2ui push --node "$NODE" --text "
๐ QUICK STATUS
Revenue: \$500
Users: 100
Done!
"
Port Assignments
| App Type | Default Port |
|---|---|
| Dashboard | 9876 |
| Tracker | 9877 |
| Timer | 9878 |
| Display | 9879 |
| Custom | 9880+ |
Design System
:root {
--bg-primary: #0a0a0a;
--bg-card: #1a1a2e;
--accent-green: #00d4aa;
--accent-blue: #4a9eff;
--accent-orange: #f59e0b;
--text-primary: #fff;
--text-muted: #888;
--border: #333;
}
Best Practices
- Self-contained HTML โ Inline CSS/JS for portability
- Dark theme โ Match OpenClaw aesthetic
- Expose app API โ Let agent update via
window.app.* - Use IDs โ On elements the agent will update
- Live clock โ Shows the app is alive
- Deep links โ For two-way communication
Troubleshooting
App opens in browser instead of Canvas?
- Make sure you're using
openclaw nodes canvas navigate, not justopen - Canvas navigate targets the Canvas panel specifically
"Not Found" on Canvas?
- File paths don't work: Canvas blocks
file:///URLs for security (sandboxing) - Data URLs may fail: Use direct HTML injection via
canvas eval+document.write()instead - For localhost: Verify server is running:
curl http://localhost:[PORT]/ - Check port is correct
- Use
http://localhost:notopenclaw-canvas://(URL scheme has issues)
Canvas shows "Not Found" even with correct URL?
- This is a security boundary: Canvas can't access local filesystem
- Solution: Use Method 2 (Direct HTML Injection) from "Opening an App" section
- Or serve via localhost (Method 1)
App not updating?
- Check window.app API is defined:
openclaw nodes canvas eval --js "typeof window.app" - Verify JS eval syntax: single quotes inside double quotes
Server port already in use?
- Kill existing:
lsof -ti:[PORT] | xargs kill -9
Helper Scripts
canvas-inject.py
Python helper for direct HTML injection (Method 2).
# Example usage in Python
from canvas_inject import inject_html_to_canvas
html = open("my-dashboard.html").read()
commands = inject_html_to_canvas(html, node_name="Your Node")
# Then use canvas tool with these commands
canvas.present(**commands["step1_present"])
canvas.eval(**commands["step2_inject"])
Or just follow the pattern manually (see Method 2 in "Opening an App").
Requirements
- OpenClaw with Canvas support (macOS app)
- Python 3 (for http.server)
- A paired node with canvas capability
Usage Guidance
This skill is internally consistent and does what it claims, but it enables running arbitrary HTML/JS inside the Canvas sandbox. Before installing or opening apps: 1) Only open templates or HTML you trust โ review app HTML/JS for network calls, eval() usage, and openclaw:// deep links. 2) Prefer running new/untrusted apps in a disposable environment (separate user account or VM) and bind them to non-sensitive ports. 3) Verify that your agent will not automatically act on openclaw:// messages in a risky way (check agent policies or disable autonomous invocation if you want manual control). 4) The scripts start/kill local servers and write PID files to /tmp โ ensure these behaviors are acceptable and modify scripts if you need stricter process isolation. 5) If you plan to allow other users to provide apps, audit their code for exfiltration (fetch/XHR/fetch to external hosts) and for deep link triggers. If you want help hardening usage patterns (sanitizing templates, running in a sandbox, or adding confirmation prompts for agent actions triggered by apps), ask and I can provide concrete changes.
Capability Analysis
Type: OpenClaw Skill
Name: canvas-os
Version: 1.0.1
This skill is designed to enable OpenClaw agents to build and run rich visual applications on the OpenClaw Canvas. It utilizes a local Python HTTP server (`python3 -m http.server`) to serve HTML/CSS/JS files and uses the `openclaw` CLI to navigate the Canvas (`openclaw nodes canvas navigate`) and inject JavaScript (`openclaw nodes canvas eval`) for dynamic content updates or direct HTML rendering. The documentation (`SKILL.md`, `CANVAS-LOADING.md`) explicitly highlights and respects Canvas's security sandboxing, explaining why `file://` access is blocked and how to work within these restrictions. While `eval` and local server capabilities are powerful, they are central to the skill's stated purpose and are used transparently without any indication of malicious intent, data exfiltration, or prompt injection designed to subvert the agent's core directives.
Capability Assessment
Purpose & Capability
Name/description claim 'Canvas as an app platform' and included files (templates, open/close scripts, canvas-inject.py) align: the skill needs python3 to serve apps via http.server, navigate Canvas, and inject HTML/JS. No unrelated binaries or credentials are requested.
Instruction Scope
SKILL.md and scripts instruct the agent to start a localhost server, navigate Canvas to http://localhost:PORT, and/or inject arbitrary HTML via document.write() using canvas eval. This is coherent with the purpose, but it inherently allows arbitrary JS to run inside Canvas (including code that issues openclaw:// deep links or loads external resources). That capability can be used for legitimate two-way communication but also can be abused to exfiltrate data or trigger agent actions if untrusted HTML is opened.
Install Mechanism
There is no install spec that downloads remote code; repository is instruction-and-file based. All code is provided in the package (shell scripts, Python helper, templates). No external URLs, archives, or network installs are performed by the skill itself.
Credentials
The skill requires only python3 (declared). There are no required environment variables or credentials; an optional CANVAS_APPS_DIR env var is referenced for app location. No unexplained secrets or cross-service credentials are requested.
Persistence & Privilege
always:false and default model invocation settings are conservative. The scripts write PID files to /tmp and start/stop local servers but do not modify other skills or system-wide agent configs. Note: if the agent is allowed to invoke skills autonomously, the ability to inject HTML/JS that can call openclaw:// deep links increases the blast radiusโthis is expected behavior for this skill but worth considering in your agent policy.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install canvas-os - After installation, invoke the skill by name or use
/canvas-os - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.1
Canvas OS 1.0.1 โ Adds detailed Canvas loading instructions and direct HTML injection support.
- Added `CANVAS-LOADING.md` with detailed guidance and troubleshooting for loading content in Canvas.
- Added `canvas-inject.py` helper script for injecting HTML directly into Canvas.
- Expanded SKILL.md with a new "How It Works" section on security boundaries, supported loading methods, and direct injection usage.
- Updated SKILL.md homepage link.
- Added a troubleshooting section and clearer separation of localhost and direct HTML injection methods.
v1.0.0
Initial release of canvas-os: turn OpenClaw Canvas into a platform for building and running interactive HTML/CSS/JS apps.
- Serve and manage apps (as self-contained folders) via local Python HTTP servers.
- Command-based workflows: open, build, update, and display data on canvas with simple text commands.
- Rich app API conventions: two-way agent-app communication, standardized data injection, and UI updates via JS.
- Includes templates for dashboards, trackers, and quick displays.
- Dark theme design system and best-practice guidelines for building canvas apps.
Metadata
Frequently Asked Questions
What is ๐ฅ๏ธ Canvas-OS?
Canvas as an app platform. Build, store, and run rich visual apps on the OpenClaw Canvas. It is an AI Agent Skill for Claude Code / OpenClaw, with 2769 downloads so far.
How do I install ๐ฅ๏ธ Canvas-OS?
Run "/install canvas-os" in the OpenClaw or Claude Code chat to install it in one step โ no extra setup required.
Is ๐ฅ๏ธ Canvas-OS free?
Yes, ๐ฅ๏ธ Canvas-OS is completely free (open-source). You can download, install and use it at no cost.
Which platforms does ๐ฅ๏ธ Canvas-OS support?
๐ฅ๏ธ Canvas-OS is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created ๐ฅ๏ธ Canvas-OS?
It is built and maintained by fraction12 (@fraction12); the current version is v1.0.1.
More Skills