ClawHub

Canva

v1.0.0

Create, export, and manage Canva designs via the Connect API. Generate social posts, carousels, and graphics programmatically.

8· 4k·20 current·20 all-time
by@abgohel
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description and the scripts/SKILL.md consistently implement a Canva Connect API integration (listing designs, autofill, exports, uploads). However the registry metadata at the top of the submission lists no required environment variables while SKILL.md and the scripts clearly require CANVA_CLIENT_ID and CANVA_CLIENT_SECRET. That mismatch is an incoherence (likely an authoring/metadata error) that should be resolved.
Instruction Scope
SKILL.md and the included scripts confine runtime actions to the Canva Connect API (api.canva.com), user home (~/.canva/tokens.json), and local utilities (curl, jq, openssl). The instructions do not attempt to read unrelated system files or contact unknown third-party endpoints.
Install Mechanism
No install script or remote downloads are present; this is instruction-only with local shell scripts. The scripts are included in the package (no external arbitrary code download or extract).
Credentials
The only sensitive values required by the runtime are CANVA_CLIENT_ID and CANVA_CLIENT_SECRET (and the OAuth tokens saved locally). Those are appropriate and proportional for a Canva Connect integration. The problem is the registry metadata does not declare these required env vars (declared as 'none'), so automated checks or users relying on registry info may be misled.
Persistence & Privilege
The skill stores OAuth tokens in ~/.canva/tokens.json (scripts create the directory and set chmod 600 on the file). This is expected for OAuth clients, but note it writes and reads a file in the user's home. The skill is not 'always: true' and does not modify other skills or global agent config.
What to consider before installing
This skill looks like a reasonable Canva Connect integration, but there is an important metadata mismatch: the registry claims no required environment variables while SKILL.md and the scripts require CANVA_CLIENT_ID and CANVA_CLIENT_SECRET and will store OAuth tokens at ~/.canva/tokens.json. Before installing: (1) confirm the skill source (check the GitHub repo URL and author), (2) ensure you are comfortable providing a Canva client ID/secret and storing tokens in your home directory (the auth script sets file mode 600), (3) run the included scripts locally and inspect them yourself (they only call api.canva.com), and (4) ask the publisher to fix the registry metadata so required env vars are declared. If you are uncomfortable with autonomous invocation, restrict the skill or deny automatic model invocation in your agent settings.

Like a lobster shell, security has layers — review code before you run it.

latestvk9769nmqpyys0yn35dk1nxqt998044er

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🎨 Clawdis
EnvCANVA_CLIENT_ID, CANVA_CLIENT_SECRET

Comments