grtninja/canvas
skill-candidates/canvas/SKILL.md
Present, navigate, snapshot, and hide HTML content on connected OpenClaw nodes (Mac, iOS, Android) via the canvas tool. Use when displaying games, visualizations, dashboards, or interactive demos on remote node canvas views, or when debugging canvas URL routing across loopback, LAN, and Tailscale bind modes.
$ install --global
skillsauthnpx skillsauth add grtninja/skill-arbiter canvasInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 22, 2026, 8:11 PM53.1s3 files scanned
SKILL.md
- name:
- canvas
- description:
- Present, navigate, snapshot, and hide HTML content on connected OpenClaw nodes (Mac, iOS, Android) via the canvas tool. Use when displaying games, visualizations, dashboards, or interactive demos on remote node canvas views, or when debugging canvas URL routing across loopback, LAN, and Tailscale bind modes.
Canvas
Display HTML content on connected OpenClaw nodes via the canvas host server (port 18793) and node bridge (port 18790).
Workflow
- Place HTML files in the configured canvas root directory.
~/clawd/canvas/is a common default, but verify the actualcanvasHost.rooton the target host before assuming it. - Verify the canvas host is running on the target host:
lsof -i :18793 - Check gateway bind mode and construct the canvas URL:
cat ~/.openclaw/openclaw.json | jq '.gateway.bind'loopback:http://127.0.0.1:18793/__openclaw__/canvas/<file>.htmllan/tailnet/auto:http://<hostname>:18793/__openclaw__/canvas/<file>.html
- Find connected nodes with canvas capability:
openclaw nodes list - Present content on a node:
canvas action:present node:<node-id> target:<full-url> - Verify content loaded. If the canvas shows a white screen, check that the URL hostname matches the bind mode and the actual host surface you are targeting; do not assume
localhostor a Unix-style path layout on every machine.
Actions
| Action | Description |
| ---------- | ------------------------------------ |
| present | Show canvas with optional target URL |
| hide | Hide the canvas |
| navigate | Navigate to a new URL |
| eval | Execute JavaScript in the canvas |
| snapshot | Capture screenshot of canvas |
Configuration
In ~/.openclaw/openclaw.json, enable canvasHost with a root directory and optional liveReload (auto-refreshes connected canvases on file change). The gateway.bind setting (loopback, lan, tailnet, auto) controls which interface the server binds to and which hostname nodes receive.
Treat the path and shell commands in this doc as OpenClaw-oriented examples, not a universal host contract.
Debugging
See references/canvas-debugging.md for common issues: white screen (URL mismatch), "node required" errors, "node not connected", and live reload failures.
Guardrails
- Keep HTML self-contained (inline CSS/JS) for best cross-node results.
- Use local or trusted tools only; avoid untrusted install pipelines.
- Do not paste secrets/tokens into chat output.
Related Skills
grtninja/white-hat
tools
VerifiedTrustedCommunity
Run a defender-first security sweep on code, configs, prompts, model/tooling surfaces, or third-party contribution lanes. Use when a request involves safe bug, leak, zero-day-class, exploit, or hack hunting for protection, when contributing to outside repositories and you want a focused security pass, or when touching auth, secrets, permissions, network exposure, prompt/tool boundaries, data flow, or update/build surfaces. This skill is defensive only and must never be used for weaponization or unauthorized access.
2SKILL.mdUpdated Apr 22, 2026
grtninja/vrm-sandbox-startup-acceptance
development
VerifiedTrustedCommunity
Validate and repair VRM Sandbox startup acceptance with shim-first local model authority, frontend/backend bring-up, and avatar-runtime launch proof. Use when launch behavior, chat handoff, voice fallback, or runtime bridge acceptance must be verified end to end.
2SKILL.mdUpdated Apr 22, 2026
grtninja/voice-catalog-runtime-alignment
documentation
VerifiedTrustedCommunity
Align documented voice-command catalogs, endpoint action allowances, and live runtime handlers so operator-visible voice surfaces match what the stack can actually execute. Use when voice command docs, parser matrices, endpoint permissions, or runtime action routing drift apart.
2SKILL.mdUpdated Apr 22, 2026
grtninja/skillhub-trend-radar
development
VerifiedTrustedCommunity
Track SkillHub trend and topic drift, maintain a bounded rewrite watchlist, and surface emerging gaps worth turning into repo-owned skills. Use when the marketplace query set shows new families or when the current shortlist has gone stale.
2SKILL.mdUpdated Apr 22, 2026