← Back to Skills Marketplace
Canvas Os 1.0.1
by
Knightluozichu
· GitHub ↗
· v1.0.0
740
Downloads
0
Stars
4
Active Installs
1
Versions
Install in OpenClaw
/install canvas-os-1-0-1
Description
Canvas as an app platform. Build, store, and run rich visual apps on the OpenClaw Canvas.
README (SKILL.md)
Canvas OS
Canvas as an app platform. Build, store, and run rich visual apps on the OpenClaw Canvas.
Philosophy
You are an OS. Canvas is the window. Apps are built locally and run on Canvas.
Rich HTML/CSS/JS UIs — not just text. Full interactivity, animations, live data.
Quick Commands
| Command | What Jarvis Does |
|---|---|
| "Open [app]" | Start server, navigate Canvas, inject data |
| "Build me a [type]" | Create app from template, open it |
| "Update [element]" | Inject JS to modify live |
| "Show [data] on canvas" | Quick A2UI display |
| "Close canvas" | Stop server, hide Canvas |
How It Works
Key principle: Apps run on Canvas, not in a browser tab. Canvas is your UI window.
Canvas Loading Methods
Canvas has security restrictions that block file path access. Three methods work:
| Method | When to Use | Pros | Cons |
|---|---|---|---|
| Localhost Server | Complex apps, external assets | Full browser features | Requires port management |
| Direct HTML Injection | Quick displays, demos | Instant, no server needed | No external assets, size limit |
| Data URLs | Small content | Self-contained | Unreliable on some systems |
❌ Does NOT work: file:///path/to/file.html (blocked by Canvas security)
📖 See: CANVAS-LOADING.md for detailed guide + troubleshooting
Helper script: canvas-inject.py — Formats HTML for direct injection
1. Apps are HTML/CSS/JS files
~/.openclaw/workspace/apps/[app-name]/
├── index.html # The UI (self-contained recommended)
├── data.json # Persistent state
└── manifest.json # App metadata
2. Serve via localhost
cd ~/.openclaw/workspace/apps/[app-name]
python3 -m http.server [PORT] > /dev/null 2>&1 &
3. Navigate Canvas to localhost
NODE="Your Node Name" # Get from: openclaw nodes status
openclaw nodes canvas navigate --node "$NODE" "http://localhost:[PORT]/"
Important: This opens the app on Canvas (the visual panel), NOT in a browser.
4. Agent injects data via JS eval
openclaw nodes canvas eval --node "$NODE" --js "app.setData({...})"
Note: The openclaw-canvas:// URL scheme has issues in current OpenClaw versions. Use http://localhost: instead.
Opening an App
What this does: Displays the app on Canvas (the visual panel), not in a browser tab.
Method 1: Localhost Server (Recommended for Complex Apps)
Full sequence:
NODE="Your Node Name"
PORT=9876
APP="my-app"
# 1. Kill any existing server on the port
lsof -ti:$PORT | xargs kill -9 2>/dev/null
# 2. Start server
cd ~/.openclaw/workspace/apps/$APP
python3 -m http.server $PORT > /dev/null 2>&1 &
# 3. Wait for server
sleep 1
# 4. Navigate Canvas
openclaw nodes canvas navigate --node "$NODE" "http://localhost:$PORT/"
# 5. Inject data
openclaw nodes canvas eval --node "$NODE" --js "app.loadData({...})"
Method 2: Direct HTML Injection (For Quick Displays)
When to use: File paths don't work in Canvas (security sandboxing). Data URLs can be unreliable. Use this for instant displays without localhost.
# Example using canvas tool
canvas.present(url="about:blank", target=node_name)
html_content = """\x3C!DOCTYPE html>
\x3Chtml>
\x3Chead>
\x3Cstyle>
body { background: #667eea; color: white; padding: 40px; }
.card { background: white; color: #333; padding: 30px; border-radius: 16px; }
\x3C/style>
\x3C/head>
\x3Cbody>
\x3Cdiv class="card">
\x3Ch1>Your Content Here\x3C/h1>
\x3C/div>
\x3C/body>
\x3C/html>"""
# Escape backticks and inject
js_code = f"""document.open();
document.write(`{html_content}`);
document.close();"""
canvas.eval(javaScript=js_code, target=node_name)
Key limitation: File paths (file:///path/to/file.html) are blocked in Canvas for security. Always use localhost or direct injection.
Building Apps
App API Convention
Every app should expose a window.app or window.[appname] object:
window.app = {
// Update values
setValue: (key, val) => {
document.getElementById(key).textContent = val;
},
// Bulk update
loadData: (data) => { /* render all */ },
// Notifications
notify: (msg) => { /* show toast */ }
};
Two-Way Communication
Apps send commands back via deep links:
function sendToAgent(message) {
window.location.href = `openclaw://agent?message=${encodeURIComponent(message)}`;
}
// Button click → agent command
document.getElementById('btn').onclick = () => {
sendToAgent('Refresh my dashboard');
};
Templates
Dashboard
Stats cards, progress bars, lists. Self-contained HTML.
- Default port: 9876
- API:
dashboard.setRevenue(),dashboard.setProgress(),dashboard.notify()
Tracker
Habits/tasks with checkboxes and streaks. Self-contained HTML.
- Default port: 9877
- API:
tracker.setItems(),tracker.addItem(),tracker.toggleItem()
Quick Display (A2UI)
For temporary displays without a full app:
openclaw nodes canvas a2ui push --node "$NODE" --text "
📊 QUICK STATUS
Revenue: \$500
Users: 100
Done!
"
Port Assignments
| App Type | Default Port |
|---|---|
| Dashboard | 9876 |
| Tracker | 9877 |
| Timer | 9878 |
| Display | 9879 |
| Custom | 9880+ |
Design System
:root {
--bg-primary: #0a0a0a;
--bg-card: #1a1a2e;
--accent-green: #00d4aa;
--accent-blue: #4a9eff;
--accent-orange: #f59e0b;
--text-primary: #fff;
--text-muted: #888;
--border: #333;
}
Best Practices
- Self-contained HTML — Inline CSS/JS for portability
- Dark theme — Match OpenClaw aesthetic
- Expose app API — Let agent update via
window.app.* - Use IDs — On elements the agent will update
- Live clock — Shows the app is alive
- Deep links — For two-way communication
Troubleshooting
App opens in browser instead of Canvas?
- Make sure you're using
openclaw nodes canvas navigate, not justopen - Canvas navigate targets the Canvas panel specifically
"Not Found" on Canvas?
- File paths don't work: Canvas blocks
file:///URLs for security (sandboxing) - Data URLs may fail: Use direct HTML injection via
canvas eval+document.write()instead - For localhost: Verify server is running:
curl http://localhost:[PORT]/ - Check port is correct
- Use
http://localhost:notopenclaw-canvas://(URL scheme has issues)
Canvas shows "Not Found" even with correct URL?
- This is a security boundary: Canvas can't access local filesystem
- Solution: Use Method 2 (Direct HTML Injection) from "Opening an App" section
- Or serve via localhost (Method 1)
App not updating?
- Check window.app API is defined:
openclaw nodes canvas eval --js "typeof window.app" - Verify JS eval syntax: single quotes inside double quotes
Server port already in use?
- Kill existing:
lsof -ti:[PORT] | xargs kill -9
Helper Scripts
canvas-inject.py
Python helper for direct HTML injection (Method 2).
# Example usage in Python
from canvas_inject import inject_html_to_canvas
html = open("my-dashboard.html").read()
commands = inject_html_to_canvas(html, node_name="Your Node")
# Then use canvas tool with these commands
canvas.present(**commands["step1_present"])
canvas.eval(**commands["step2_inject"])
Or just follow the pattern manually (see Method 2 in "Opening an App").
Requirements
- OpenClaw with Canvas support (macOS app)
- Python 3 (for http.server)
- A paired node with canvas capability
Usage Guidance
This skill appears to implement a Canvas app platform and includes helper scripts and HTML templates that match that purpose, but proceed with care:
- Missing declared tools: the scripts call openclaw, lsof, curl and jq but the metadata only lists python3. Ensure those tools are present and you understand their use before running the scripts.
- Arbitrary JS injection: the skill injects HTML/JS into Canvas via eval/document.write. Only display HTML you trust — injected JS can communicate back to the agent via deep links (openclaw://agent?...), which could cause the agent to act on messages authored by the app.
- Local servers & ports: the open-app.sh script starts a local http.server and kills processes on ports (kill -9 via lsof). That behavior is expected for serving apps but review it before running on sensitive machines and be aware of potential port conflicts.
- Review templates: included HTML templates are benign-looking, but if you plan to use third-party or user-supplied HTML, audit it for scripts that could trigger agent actions or exfiltrate data.
If you want to install/use this skill: verify the openclaw CLI and required utilities are available, run the helper scripts in a controlled environment first, and avoid injecting untrusted HTML into Canvas. If the author intended the skill to require additional binaries, ask them to update the metadata to declare them explicitly.
Capability Analysis
Type: OpenClaw Skill
Name: canvas-os-1-0-1
Version: 1.0.0
The `open-app.sh` script contains a shell injection vulnerability. The `APP_NAME` variable, which is derived from user input or agent parameters, is used directly in `cd "$APPS_DIR/$APP_NAME"` without proper sanitization. This could allow an attacker to perform directory traversal (e.g., `../../../../etc`) to serve sensitive files via `python3 -m http.server` or execute arbitrary commands if shell metacharacters are included in `APP_NAME`. This is a significant vulnerability, but there is no clear evidence of intentional malicious design to exploit it, rather it appears to be a lack of input validation.
Capability Assessment
Purpose & Capability
The skill's stated purpose (serve and inject Canvas apps) is coherent with the included files and scripts, but the declared requirements only list python3 while the scripts and instructions rely on several other command-line tools and the openclaw CLI (lsof, curl, jq, openclaw). Those tooling expectations are not declared, which is an incoherence a user should know about.
Instruction Scope
SKILL.md instructs running a local http.server, navigating Canvas via openclaw nodes canvas navigate, and injecting arbitrary HTML/JS via canvas eval/document.write. That allows arbitrary JavaScript to run inside Canvas and apps can call deep links (openclaw://agent?message=...) to send commands back to the agent — a legitimate feature for two-way UI, but it also expands the attack surface (untrusted HTML/JS could attempt to prompt the agent to take actions). The instructions also reference reading app files from the user's workspace (~/.openclaw/workspace/apps), which is consistent with the skill's purpose.
Install Mechanism
No install spec is provided (instruction-only plus bundled helper scripts), so nothing is downloaded or executed during install. This is lower risk; the included scripts will only run if the user/agent executes them.
Credentials
The skill declares no required environment variables or credentials, which matches the lack of network/service integrations. However, scripts implicitly rely on environment items (HOME, optional CANVAS_APPS_DIR) and on the presence of the openclaw CLI and utilities (jq, lsof, curl). The absence of these from requires.env / requires.bins is an inconsistency and could hide implicit privilege/assumptions.
Persistence & Privilege
always:false and normal autonomous invocation are used. The skill writes transient PID files in /tmp to manage local servers (expected behavior). It does not request persistent system-wide privileges or modify other skills' configurations.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install canvas-os-1-0-1 - After installation, invoke the skill by name or use
/canvas-os-1-0-1 - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
Initial release of Canvas OS — a platform for building and running rich visual apps on the OpenClaw Canvas.
- Supports app creation and display using HTML/CSS/JS with full interactivity and animations.
- Two loading methods: localhost server for complex apps and direct HTML injection for quick displays.
- Provides commands for opening, building, updating, and closing apps on the Canvas panel (not browser tabs).
- Includes API conventions and templates for apps like dashboards and trackers.
- Helper script and troubleshooting guide included for easy setup.
- Requires Python 3 and OpenClaw with Canvas support.
Metadata
Frequently Asked Questions
What is Canvas Os 1.0.1?
Canvas as an app platform. Build, store, and run rich visual apps on the OpenClaw Canvas. It is an AI Agent Skill for Claude Code / OpenClaw, with 740 downloads so far.
How do I install Canvas Os 1.0.1?
Run "/install canvas-os-1-0-1" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Canvas Os 1.0.1 free?
Yes, Canvas Os 1.0.1 is completely free (open-source). You can download, install and use it at no cost.
Which platforms does Canvas Os 1.0.1 support?
Canvas Os 1.0.1 is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created Canvas Os 1.0.1?
It is built and maintained by Knightluozichu (@knightluozichu); the current version is v1.0.0.
More Skills