Canva
ReviewAudited by ClawScan on May 1, 2026.
Overview
The Canva skill is coherent and purpose-aligned, but it requires Canva OAuth access that can read and create Canva content and stores tokens locally.
This appears to be a straightforward Canva integration. Before installing, confirm you are comfortable granting Canva read/write design and asset scopes, storing OAuth tokens in ~/.canva/tokens.json, and letting the helper upload only files you explicitly choose.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing and authenticating this skill can let the helper access Canva designs, templates, and assets and create or upload content in the connected Canva account.
The skill asks for OAuth scopes that allow reading and writing Canva account content. This is expected for the stated Canva management purpose, but it is sensitive delegated account authority.
Scopes Required - `design:content:read` - Read designs - `design:content:write` - Create/modify designs - `asset:read` - Read assets - `asset:write` - Upload assets
Use a Canva integration with only the scopes you need, connect the intended Canva account/workspace, and revoke the integration if you stop using the skill.
A user or agent using this helper can create Canva designs and upload assets, which may affect the connected Canva workspace.
The helper exposes a write operation that creates Canva designs from templates. This aligns with the skill purpose, but users should treat it as an account-modifying action.
api POST "/autofills" "{\"brand_template_id\": \"$2\", \"data\": $3}" | jq .Review prompts that create, upload, or batch-export Canva content, and avoid granting the skill access to workspaces where unintended changes would be costly.
If used with the wrong path, local file contents could be uploaded to Canva.
The upload command sends the user-specified local file path to Canva. This is an advertised feature, but the artifacts do not restrict uploads to image files.
--data-binary "@$2" | jq .
Only run upload commands for files you intend to place in Canva, and verify the file path before approving an upload.
The skill may fail or behave inconsistently on systems missing these tools.
The helper scripts depend on external command-line tools such as openssl, curl, and jq, while the registry requirements list no required binaries. This is a metadata completeness issue, not evidence of malicious behavior.
STATE=$(openssl rand -hex 16)
Before installing, ensure curl, jq, and openssl are present and consider declaring them in the skill metadata.