← 返回 Skills 市场
Canvas Os 1.0.1
作者
Knightluozichu
· GitHub ↗
· v1.0.0
740
总下载
0
收藏
4
当前安装
1
版本数
在 OpenClaw 中安装
/install canvas-os-1-0-1
功能描述
Canvas as an app platform. Build, store, and run rich visual apps on the OpenClaw Canvas.
使用说明 (SKILL.md)
Canvas OS
Canvas as an app platform. Build, store, and run rich visual apps on the OpenClaw Canvas.
Philosophy
You are an OS. Canvas is the window. Apps are built locally and run on Canvas.
Rich HTML/CSS/JS UIs — not just text. Full interactivity, animations, live data.
Quick Commands
| Command | What Jarvis Does |
|---|---|
| "Open [app]" | Start server, navigate Canvas, inject data |
| "Build me a [type]" | Create app from template, open it |
| "Update [element]" | Inject JS to modify live |
| "Show [data] on canvas" | Quick A2UI display |
| "Close canvas" | Stop server, hide Canvas |
How It Works
Key principle: Apps run on Canvas, not in a browser tab. Canvas is your UI window.
Canvas Loading Methods
Canvas has security restrictions that block file path access. Three methods work:
| Method | When to Use | Pros | Cons |
|---|---|---|---|
| Localhost Server | Complex apps, external assets | Full browser features | Requires port management |
| Direct HTML Injection | Quick displays, demos | Instant, no server needed | No external assets, size limit |
| Data URLs | Small content | Self-contained | Unreliable on some systems |
❌ Does NOT work: file:///path/to/file.html (blocked by Canvas security)
📖 See: CANVAS-LOADING.md for detailed guide + troubleshooting
Helper script: canvas-inject.py — Formats HTML for direct injection
1. Apps are HTML/CSS/JS files
~/.openclaw/workspace/apps/[app-name]/
├── index.html # The UI (self-contained recommended)
├── data.json # Persistent state
└── manifest.json # App metadata
2. Serve via localhost
cd ~/.openclaw/workspace/apps/[app-name]
python3 -m http.server [PORT] > /dev/null 2>&1 &
3. Navigate Canvas to localhost
NODE="Your Node Name" # Get from: openclaw nodes status
openclaw nodes canvas navigate --node "$NODE" "http://localhost:[PORT]/"
Important: This opens the app on Canvas (the visual panel), NOT in a browser.
4. Agent injects data via JS eval
openclaw nodes canvas eval --node "$NODE" --js "app.setData({...})"
Note: The openclaw-canvas:// URL scheme has issues in current OpenClaw versions. Use http://localhost: instead.
Opening an App
What this does: Displays the app on Canvas (the visual panel), not in a browser tab.
Method 1: Localhost Server (Recommended for Complex Apps)
Full sequence:
NODE="Your Node Name"
PORT=9876
APP="my-app"
# 1. Kill any existing server on the port
lsof -ti:$PORT | xargs kill -9 2>/dev/null
# 2. Start server
cd ~/.openclaw/workspace/apps/$APP
python3 -m http.server $PORT > /dev/null 2>&1 &
# 3. Wait for server
sleep 1
# 4. Navigate Canvas
openclaw nodes canvas navigate --node "$NODE" "http://localhost:$PORT/"
# 5. Inject data
openclaw nodes canvas eval --node "$NODE" --js "app.loadData({...})"
Method 2: Direct HTML Injection (For Quick Displays)
When to use: File paths don't work in Canvas (security sandboxing). Data URLs can be unreliable. Use this for instant displays without localhost.
# Example using canvas tool
canvas.present(url="about:blank", target=node_name)
html_content = """\x3C!DOCTYPE html>
\x3Chtml>
\x3Chead>
\x3Cstyle>
body { background: #667eea; color: white; padding: 40px; }
.card { background: white; color: #333; padding: 30px; border-radius: 16px; }
\x3C/style>
\x3C/head>
\x3Cbody>
\x3Cdiv class="card">
\x3Ch1>Your Content Here\x3C/h1>
\x3C/div>
\x3C/body>
\x3C/html>"""
# Escape backticks and inject
js_code = f"""document.open();
document.write(`{html_content}`);
document.close();"""
canvas.eval(javaScript=js_code, target=node_name)
Key limitation: File paths (file:///path/to/file.html) are blocked in Canvas for security. Always use localhost or direct injection.
Building Apps
App API Convention
Every app should expose a window.app or window.[appname] object:
window.app = {
// Update values
setValue: (key, val) => {
document.getElementById(key).textContent = val;
},
// Bulk update
loadData: (data) => { /* render all */ },
// Notifications
notify: (msg) => { /* show toast */ }
};
Two-Way Communication
Apps send commands back via deep links:
function sendToAgent(message) {
window.location.href = `openclaw://agent?message=${encodeURIComponent(message)}`;
}
// Button click → agent command
document.getElementById('btn').onclick = () => {
sendToAgent('Refresh my dashboard');
};
Templates
Dashboard
Stats cards, progress bars, lists. Self-contained HTML.
- Default port: 9876
- API:
dashboard.setRevenue(),dashboard.setProgress(),dashboard.notify()
Tracker
Habits/tasks with checkboxes and streaks. Self-contained HTML.
- Default port: 9877
- API:
tracker.setItems(),tracker.addItem(),tracker.toggleItem()
Quick Display (A2UI)
For temporary displays without a full app:
openclaw nodes canvas a2ui push --node "$NODE" --text "
📊 QUICK STATUS
Revenue: \$500
Users: 100
Done!
"
Port Assignments
| App Type | Default Port |
|---|---|
| Dashboard | 9876 |
| Tracker | 9877 |
| Timer | 9878 |
| Display | 9879 |
| Custom | 9880+ |
Design System
:root {
--bg-primary: #0a0a0a;
--bg-card: #1a1a2e;
--accent-green: #00d4aa;
--accent-blue: #4a9eff;
--accent-orange: #f59e0b;
--text-primary: #fff;
--text-muted: #888;
--border: #333;
}
Best Practices
- Self-contained HTML — Inline CSS/JS for portability
- Dark theme — Match OpenClaw aesthetic
- Expose app API — Let agent update via
window.app.* - Use IDs — On elements the agent will update
- Live clock — Shows the app is alive
- Deep links — For two-way communication
Troubleshooting
App opens in browser instead of Canvas?
- Make sure you're using
openclaw nodes canvas navigate, not justopen - Canvas navigate targets the Canvas panel specifically
"Not Found" on Canvas?
- File paths don't work: Canvas blocks
file:///URLs for security (sandboxing) - Data URLs may fail: Use direct HTML injection via
canvas eval+document.write()instead - For localhost: Verify server is running:
curl http://localhost:[PORT]/ - Check port is correct
- Use
http://localhost:notopenclaw-canvas://(URL scheme has issues)
Canvas shows "Not Found" even with correct URL?
- This is a security boundary: Canvas can't access local filesystem
- Solution: Use Method 2 (Direct HTML Injection) from "Opening an App" section
- Or serve via localhost (Method 1)
App not updating?
- Check window.app API is defined:
openclaw nodes canvas eval --js "typeof window.app" - Verify JS eval syntax: single quotes inside double quotes
Server port already in use?
- Kill existing:
lsof -ti:[PORT] | xargs kill -9
Helper Scripts
canvas-inject.py
Python helper for direct HTML injection (Method 2).
# Example usage in Python
from canvas_inject import inject_html_to_canvas
html = open("my-dashboard.html").read()
commands = inject_html_to_canvas(html, node_name="Your Node")
# Then use canvas tool with these commands
canvas.present(**commands["step1_present"])
canvas.eval(**commands["step2_inject"])
Or just follow the pattern manually (see Method 2 in "Opening an App").
Requirements
- OpenClaw with Canvas support (macOS app)
- Python 3 (for http.server)
- A paired node with canvas capability
安全使用建议
This skill appears to implement a Canvas app platform and includes helper scripts and HTML templates that match that purpose, but proceed with care:
- Missing declared tools: the scripts call openclaw, lsof, curl and jq but the metadata only lists python3. Ensure those tools are present and you understand their use before running the scripts.
- Arbitrary JS injection: the skill injects HTML/JS into Canvas via eval/document.write. Only display HTML you trust — injected JS can communicate back to the agent via deep links (openclaw://agent?...), which could cause the agent to act on messages authored by the app.
- Local servers & ports: the open-app.sh script starts a local http.server and kills processes on ports (kill -9 via lsof). That behavior is expected for serving apps but review it before running on sensitive machines and be aware of potential port conflicts.
- Review templates: included HTML templates are benign-looking, but if you plan to use third-party or user-supplied HTML, audit it for scripts that could trigger agent actions or exfiltrate data.
If you want to install/use this skill: verify the openclaw CLI and required utilities are available, run the helper scripts in a controlled environment first, and avoid injecting untrusted HTML into Canvas. If the author intended the skill to require additional binaries, ask them to update the metadata to declare them explicitly.
功能分析
Type: OpenClaw Skill
Name: canvas-os-1-0-1
Version: 1.0.0
The `open-app.sh` script contains a shell injection vulnerability. The `APP_NAME` variable, which is derived from user input or agent parameters, is used directly in `cd "$APPS_DIR/$APP_NAME"` without proper sanitization. This could allow an attacker to perform directory traversal (e.g., `../../../../etc`) to serve sensitive files via `python3 -m http.server` or execute arbitrary commands if shell metacharacters are included in `APP_NAME`. This is a significant vulnerability, but there is no clear evidence of intentional malicious design to exploit it, rather it appears to be a lack of input validation.
能力评估
Purpose & Capability
The skill's stated purpose (serve and inject Canvas apps) is coherent with the included files and scripts, but the declared requirements only list python3 while the scripts and instructions rely on several other command-line tools and the openclaw CLI (lsof, curl, jq, openclaw). Those tooling expectations are not declared, which is an incoherence a user should know about.
Instruction Scope
SKILL.md instructs running a local http.server, navigating Canvas via openclaw nodes canvas navigate, and injecting arbitrary HTML/JS via canvas eval/document.write. That allows arbitrary JavaScript to run inside Canvas and apps can call deep links (openclaw://agent?message=...) to send commands back to the agent — a legitimate feature for two-way UI, but it also expands the attack surface (untrusted HTML/JS could attempt to prompt the agent to take actions). The instructions also reference reading app files from the user's workspace (~/.openclaw/workspace/apps), which is consistent with the skill's purpose.
Install Mechanism
No install spec is provided (instruction-only plus bundled helper scripts), so nothing is downloaded or executed during install. This is lower risk; the included scripts will only run if the user/agent executes them.
Credentials
The skill declares no required environment variables or credentials, which matches the lack of network/service integrations. However, scripts implicitly rely on environment items (HOME, optional CANVAS_APPS_DIR) and on the presence of the openclaw CLI and utilities (jq, lsof, curl). The absence of these from requires.env / requires.bins is an inconsistency and could hide implicit privilege/assumptions.
Persistence & Privilege
always:false and normal autonomous invocation are used. The skill writes transient PID files in /tmp to manage local servers (expected behavior). It does not request persistent system-wide privileges or modify other skills' configurations.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install canvas-os-1-0-1 - 安装完成后,直接呼叫该 Skill 的名称或使用
/canvas-os-1-0-1触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
Initial release of Canvas OS — a platform for building and running rich visual apps on the OpenClaw Canvas.
- Supports app creation and display using HTML/CSS/JS with full interactivity and animations.
- Two loading methods: localhost server for complex apps and direct HTML injection for quick displays.
- Provides commands for opening, building, updating, and closing apps on the Canvas panel (not browser tabs).
- Includes API conventions and templates for apps like dashboards and trackers.
- Helper script and troubleshooting guide included for easy setup.
- Requires Python 3 and OpenClaw with Canvas support.
元数据
常见问题
Canvas Os 1.0.1 是什么?
Canvas as an app platform. Build, store, and run rich visual apps on the OpenClaw Canvas. 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 740 次。
如何安装 Canvas Os 1.0.1?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install canvas-os-1-0-1」即可一键安装,无需额外配置。
Canvas Os 1.0.1 是免费的吗?
是的,Canvas Os 1.0.1 完全免费(开源免费),可自由下载、安装和使用。
Canvas Os 1.0.1 支持哪些平台?
Canvas Os 1.0.1 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Canvas Os 1.0.1?
由 Knightluozichu(@knightluozichu)开发并维护,当前版本 v1.0.0。
推荐 Skills