Canva Connect
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone or anything that can use the stored token may be able to access and modify Canva resources within the granted scopes.
The skill requires Canva OAuth credentials and stores reusable tokens for account access. This is expected for a Canva management integration, but users should recognize the account authority being granted.
Set scopes: `design:content` (Read + Write) ... `asset` (Read + Write) ... `profile` (Read) ... Tokens stored in `~/.clawdbot/canva-tokens.json`.
Use a dedicated Canva integration with only the scopes you need, keep the token file private, and run `auth logout` if you no longer use the skill.
A mistaken command could create unwanted Canva resources or move/delete Canva designs or assets.
The skill exposes commands that can mutate or remove Canva account content. The commands are clearly documented and purpose-aligned, but they can have account-level effects if invoked on the wrong item.
`designs delete <id>` | Move design to trash ... `assets delete <id>` | Delete asset ... `folders create <name>` | Create folder
Review design, asset, and folder IDs before running write or delete commands, and ask the agent to confirm destructive operations.
The skill may fail or behave differently depending on the local versions of these tools.
The skill has no install spec or required-binary declarations, but the script depends on several local command-line tools. This is not suspicious by itself, but it is relevant for review and reproducibility.
`curl -s -X POST`, `jq -r`, `openssl rand -hex 16`, `python3 << PYEOF`
Install and use trusted versions of curl, jq, openssl, and python3, and review the included script before authenticating.