Is lura2/canvas safe?

The documented 'eval' action (canvas action:eval) executes arbitrary JavaScript inside the WebView of connected Mac, iOS, and Android nodes. If an attacker can manipulate the agent — via prompt injection, malicious user input, or a poisoned canvas file — they can achieve code execution in the context of connected devices. Mobile WebViews may have access to native bridge APIs depending on the host application's configuration.

The 'navigate' action redirects connected nodes to any URL provided. A manipulated or compromised agent could silently send connected Mac/iOS/Android users to phishing pages, credential-harvesting sites, or pages hosting drive-by exploits. The user on the connected device receives no explicit warning from the OpenClaw app.

The 'snapshot' action captures a screenshot of the canvas WebView on a connected node and returns it. If the connected device is displaying sensitive content (documents, passwords, private communications), a manipulated agent could capture and return this data. Combined with eval, an attacker could also exfiltrate data extracted from DOM content or browser storage.

The three high-risk actions (eval, snapshot, navigate) compose into a near-complete remote-access toolkit: eval for code execution and data exfiltration from the WebView context, snapshot for covert surveillance, navigate for phishing. While individually documented as legitimate features, together they represent a powerful attack surface that a malicious actor controlling the agent could exploit against every connected node simultaneously.

When liveReload is enabled (default: true), the canvas host automatically modifies every HTML file served to connected nodes by injecting a WebSocket client script. This is undisclosed to the end user receiving the content and establishes a persistent WebSocket channel from each connected device back to the host. If the canvas root is writable by an attacker, they can use this injected channel as a covert communication path.

The default gateway.bind value is 'auto', which selects the best available interface in priority order: Tailscale > LAN > loopback. This means in most real deployments the canvas server binds to a network interface accessible to all Tailscale or LAN peers — not just localhost. Any HTML content written by the agent is immediately accessible to other network users, including potentially sensitive data the agent may have rendered.

The canvas host serves content on plain HTTP (port 18793) with no TLS. When bound to LAN or Tailscale interfaces, traffic between the host and connected nodes is unencrypted and susceptible to MITM interception or injection by network peers. An attacker on the same network could intercept canvas content or inject malicious scripts into served HTML.

Because the agent can write HTML to the canvas root and the SKILL.md instructs the agent to use eval to interact with canvas content, any untrusted HTML content rendered in the canvas (e.g., from a user-supplied URL or generated from user input) could contain JavaScript that exfiltrates data or manipulates the agent's context via the snapshot return value or eval output.

File reads of .env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, and gcloud credentials appear in filesystem monitoring at 08:24:46 (audit sequence ~265). The skill git clone does not begin until 08:24:51 (audit sequence ~495). These accesses predate the skill installation and are consistent with the audit harness establishing and baseline-checking canary files. All canary files confirmed intact with no write operations.