ClawHub

Canva Connect

v1.0.0

Manage Canva designs, assets, and folders via the Connect API. WHAT IT CAN DO: - List/search/organize designs and folders - Export finished designs (PNG/PDF/JPG) - Upload images to asset library - Autofill brand templates with data - Create blank designs (doc/presentation/whiteboard/custom) WHAT IT CANNOT DO: - Add content to designs (text, shapes, elements) - Edit existing design content - Upload documents (images only) - AI design generation Best for: asset pipelines, export automation, organization, template autofill. Triggers: /canva, "upload to canva", "export design", "list my designs", "canva folder".

3· 3.3k·11 current·11 all-time
by@coolmanns
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill's stated purpose (Canva Connect: list/export/upload/organize/autofill) matches the included CLI and API references. However, registry metadata incorrectly lists no required environment variables or credentials while SKILL.md declares CANVA_CLIENT_ID and CANVA_CLIENT_SECRET. Also the script requires standard CLI utilities (curl, jq, openssl, python3) even though the manifest claims no required binaries—this metadata mismatch is confusing and should be corrected.
!
Instruction Scope
SKILL.md and scripts instruct the agent/user to run scripts that: open the browser for OAuth, start a local Python HTTP server to capture the auth code, read ~/.clawdbot/clawdbot.json for credentials, and write tokens to ~/.clawdbot/canva-tokens.json. Those steps are expected for OAuth CLI tools, but the script explicitly requests write-capable scopes (e.g., design:content:write, asset:write, folder:write) even though the SKILL.md 'WHAT IT CANNOT DO' claims it cannot add/edit design content. That is a contradiction: the runtime will request more privileges than the description promises.
Install Mechanism
There is no install spec (instruction-only), so nothing is downloaded at install time. However a non-trivial shell script is included and will be written/executed if the skill is used. The script relies on external binaries (curl, jq, openssl, python3) which are not declared in the top-level registry requirements—this is an omission rather than a direct install risk, but users should ensure those tools are available and review the script before running it.
!
Credentials
The only required credentials are Canva client ID/secret (appropriate for OAuth). But the OAuth scopes requested by the script include write permissions for design content and assets. Those scopes are broader than the SKILL.md's claimed limitations (it says it cannot add or edit design content). Requesting client_secret + broad write scopes is a privilege expansion that users should be wary of.
Persistence & Privilege
The skill does not request global 'always' presence and does not modify other skills. It stores OAuth tokens in ~/.clawdbot/canva-tokens.json with chmod 600, and uses a local HTTP server to complete OAuth — this is normal for CLI OAuth flows. Autonomous invocation is allowed (platform default) and is not by itself a red flag.
What to consider before installing
This skill appears to be a real Canva Connect integration, but there are several things you should check before installing or providing credentials: - Verify the owner/source. The 'Source' and 'Homepage' are missing in the registry; prefer skills from a known publisher. - Inspect the included script (scripts/canva.sh) yourself. It will run a local OAuth flow, start a small Python HTTP server to capture the auth code, and write tokens to ~/.clawdbot/canva-tokens.json. Ensure you trust the code before running it. - Confirm required tools are available (curl, jq, openssl, python3). The registry metadata omits these requirements but the script needs them. - Scope/privilege mismatch: the script requests write-capable OAuth scopes (design:content:write, asset:write, folder:write) even though the README claims the skill "cannot add content to designs". If you only need exports/reads, consider creating an OAuth client with minimal (read-only) scopes or do not grant write scopes/secret to this skill. - Prefer setting CANVA_CLIENT_ID and CANVA_CLIENT_SECRET as environment variables in a controlled environment rather than pasting secrets into shared config files. Rotate credentials if you suspect misuse. - If uncertain, run the CLI in an isolated environment (container or VM) to limit blast radius. If you want, I can highlight the exact lines in scripts/canva.sh that request scopes and write tokens so you can more easily review them.

Like a lobster shell, security has layers — review code before you run it.

latestvk97f0hqb2pm18p0yq2n3p89p1s8079ak

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🎨 Clawdis
EnvCANVA_CLIENT_ID, CANVA_CLIENT_SECRET
Primary envCANVA_CLIENT_ID

Comments