ClawHub

Canva Connect

Security checks across malware telemetry and agentic risk

Overview

The skill appears to be a legitimate Canva integration, but it handles persistent OAuth tokens and exposes destructive Canva actions without enough clear scoping or user-safety guardrails.

Review the OAuth scopes and command list before installing. Only authorize this skill if you are comfortable giving it access to your Canva account, storing refreshable tokens locally, uploading selected files to Canva, and allowing user-directed delete or write-like actions. Prefer using it in a profile where you can revoke Canva access easily, and require explicit confirmation before any delete, upload, export, or comment operation.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (10)

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill documentation indicates it uses shell execution, network access, and local file writes, including OAuth token storage, but no explicit permissions model is declared. That gap can cause users or hosting frameworks to grant broader capability than expected, increasing the risk of unintended network access or local secret persistence without clear consent boundaries.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The skill description understates actual behavior by omitting OAuth token handling, profile retrieval, and destructive delete operations on designs and assets. Security-relevant behavior mismatches are dangerous because users may authorize the skill under incomplete assumptions, especially where persistent credentials and destructive actions are involved.

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
The manifest claims narrower export and upload capabilities than later sections document, which creates a misleading security boundary for users and reviewers. When operational scope is broader than advertised, users may expose more data to external services or enable workflows they did not intend to permit.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The document says it cannot edit existing content, but required content scopes and template autofill inherently modify design content or generated outputs. Misrepresenting write-like capabilities reduces informed consent and can lead users to grant content access they would otherwise reject.

Intent-Code Divergence

Medium
Confidence
87% confidence
Finding
The skill presents reassuring limitations early, then later documents broader write and edit-adjacent abilities, creating contradictory guidance. Such inconsistencies are a security problem because they obscure the real trust boundary and make risky capabilities easier to smuggle past user review.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The API reference exposes capabilities beyond the skill metadata’s stated scope, including destructive deletion and comment creation. This mismatch can cause downstream agents or users to invoke higher-risk operations they were not informed the skill could perform, increasing the chance of unauthorized or unsafe actions.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The commands include deleting designs and assets but provide no explicit warning about data loss, trash semantics, permanence, or need for confirmation. In an agent setting, undocumented destructive operations raise the risk of accidental deletion through ambiguous prompts or automation mistakes.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The documented design deletion endpoint is destructive and appears without any warning about irreversibility, ownership implications, or need for explicit user confirmation. In an agent context, lack of such guardrails raises the risk of accidental or socially engineered deletion of user data.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The asset upload endpoint sends user-provided file contents to Canva’s remote API, but the documentation does not warn about external data transmission, privacy considerations, or acceptable content handling. This can lead to unintentional disclosure of sensitive files through the agent.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The asset deletion endpoint is another destructive operation documented without warning about consequences or recovery limitations. In automation or agent-driven workflows, missing cautionary guidance materially increases the risk of accidental permanent data loss.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal