ClawHub

Canva

Security checks across malware telemetry and agentic risk

Overview

This is a coherent Canva integration that uses expected Canva OAuth access and user-run helper scripts, with sensitive account permissions users should understand before installing.

Install only if you are comfortable granting this skill read/write access to the connected Canva account. Use a Canva app/workspace with the minimum scopes you need, protect CANVA_CLIENT_SECRET and ~/.canva/tokens.json, and only approve uploads or exports when the exact file, design, and account context are clear.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Vague Triggers

Medium
Confidence
84% confidence
Finding
The README encourages broad natural-language commands like "Show me my Canva designs" and "Upload this image to Canva" without defining confirmation, scope, or trigger boundaries. In an agent setting, vague invocation guidance can cause unintended access to remote account data, exports, or uploads when the assistant over-interprets user intent.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The feature list advertises exporting designs and uploading local assets, but does not warn that these actions transfer data to or from Canva and may read/write local files. In agent environments, missing disclosure increases the risk of users unknowingly causing external data exfiltration, cloud uploads, or local file creation.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill instructs users to store Canva client credentials in environment variables and access tokens in ~/.canva/tokens.json, but it does not warn that these are sensitive secrets on disk and in the process environment. This omission can lead users to expose credentials through weak file permissions, backups, logs, shell history, or shared systems.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill supports asset uploads and design exports to Canva's external API but does not clearly warn users that local files and design content will be transmitted to a third-party service. Without explicit disclosure, users may unknowingly send sensitive images, documents, or proprietary brand material off-host.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal