Back to skill

Security audit

Canva Connect

Security checks across malware telemetry and agentic risk

Overview

This appears to be a legitimate Canva integration, but it should be reviewed because it stores OAuth tokens and can delete Canva designs or assets without strong safeguards.

Install only if you are comfortable granting this skill Canva account access, storing refreshable tokens locally, uploading selected files to Canva, and allowing commands that can delete Canva content. Treat delete operations as requiring explicit user confirmation outside the skill, and revoke the Canva integration or run auth logout when access is no longer needed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Tool MisuseTool Parameter Abuse, Chaining Abuse, Unsafe Defaults
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (14)

Lp3

Medium
Category
MCP Least Privilege
Confidence
90% confidence
Finding
The skill clearly describes network access, shell execution, and local file writes for OAuth, exports, uploads, and token/cache storage, but these capabilities are not declared in the manifest as permissions. Undeclared sensitive capabilities weaken user/operator understanding of what the skill can do and reduce the effectiveness of policy enforcement or review.

Tp4

High
Category
MCP Tool Poisoning
Confidence
91% confidence
Finding
The manifest-level description omits destructive delete operations and access to user profile data, even though the documented commands include `designs delete`, `assets delete`, and `me`. This mismatch can cause users or reviewers to authorize a skill under incomplete assumptions, increasing the risk of unintended data deletion or unnecessary exposure of personal account information.

Description-Behavior Mismatch

Medium
Confidence
84% confidence
Finding
The documentation adds destructive delete capabilities that are not surfaced in the manifest description, which materially changes the risk profile of the skill. Hidden or under-disclosed destructive actions are dangerous because users may invoke or approve the skill without realizing it can remove designs or assets.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The reference documents comment-management endpoints even though the skill manifest does not declare comment functionality. This creates scope drift: an agent or integrator may expose unintended write capabilities, allowing users to post comments on designs outside the advertised behavior. In a connected SaaS environment, undocumented extra write actions are a real security and trust risk even if they are part of the upstream API.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The reference includes design deletion despite the manifest describing organization, export, upload, autofill, and blank design creation rather than destructive deletion. Undeclared delete capability can lead to irreversible user data loss if an agent surfaces or invokes it unexpectedly. The danger is increased because design deletion affects user-owned creative assets, not temporary data.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The documentation exposes asset mutation and deletion beyond the stated asset scope of uploading images to the library. This expands the skill from additive upload behavior to modification and destruction of existing assets, which could overwrite metadata or remove user content unexpectedly. Such hidden capability expansion is dangerous because users will not anticipate existing asset state being altered.

Description-Behavior Mismatch

High
Confidence
96% confidence
Finding
The manifest states 'images only' uploads, but the API reference lists PDF and video formats in addition to image types. This mismatch can cause unintended ingestion and transmission of broader user data classes, including documents and media that may be more sensitive or larger in impact if mishandled. The discrepancy materially expands what data the skill could exfiltrate or store through the integration.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The reference advertises export formats such as GIF, PPTX, and MP4 beyond the manifest's stated PNG/PDF/JPG support. That broadens data extraction pathways and may enable bulk export into richer or more reusable formats than users expect. While exporting is core to the skill, undocumented additional export formats still represent unauthorized scope expansion.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The script implements a destructive `designs delete` capability that is not disclosed in the skill metadata, which creates a security and trust boundary mismatch. In an agent setting, hidden destructive actions are risky because a user or orchestrator may invoke the skill expecting only organization/export behavior while the code can delete user content.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The `assets delete` operation is a real hidden capability not described in the manifest, enabling permanent or semi-permanent removal of user assets. Undisclosed destructive behavior increases the chance of accidental or unauthorized deletion when the skill is used by an autonomous agent or through natural-language routing.

Missing User Warnings

Low
Confidence
78% confidence
Finding
Delete commands are documented without clear warnings about consequences such as moving designs to trash or permanently deleting assets. In a skill that manages user-owned creative assets, lack of friction around destructive operations increases the chance of accidental data loss, especially when mediated by an agent.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The OAuth callback server binds on all interfaces via `TCPServer(("", port), ...)` and does not validate the returned `state` parameter before accepting the authorization code. This makes the local callback listener more exposed than necessary and weakens CSRF/session integrity for the OAuth flow.

Tool Parameter Abuse

High
Category
Tool Misuse
Content
;;
        delete)
            local id="$1"
            api_request DELETE "/v1/designs/$id"
            echo -e "${GREEN}Design moved to trash${NC}"
            ;;
        *)
Confidence
92% confidence
Finding
DELETE "/v1/designs/$id

Tool Parameter Abuse

High
Category
Tool Misuse
Content
;;
        delete)
            local id="$1"
            api_request DELETE "/v1/assets/$id"
            echo -e "${GREEN}Asset deleted${NC}"
            ;;
        *)
Confidence
93% confidence
Finding
DELETE "/v1/assets/$id

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.