Canvas Design Pro

Security checks across malware telemetry and agentic risk

Overview

This is an instruction-only creative design skill whose behavior is mostly limited to generating visual files, with a minor caution around optional font downloads.

Safe to install for creative image/PDF generation. Before allowing the agent to download fonts, prefer the bundled canvas-fonts directory or approve a trusted font source explicitly, and review generated files before publishing them.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: The skill explicitly authorizes downloading arbitrary fonts, which expands a local art-generation workflow into one that may perform network access and import untrusted external assets. That creates avoidable supply-chain and data-exposure risk, especially if the agent runs in a privileged environment or if the download source is not tightly restricted.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The skill instructs external font downloads without disclosing that network access or filesystem changes may occur. Hidden or poorly disclosed external access is dangerous because it can surprise users, pull in untrusted content, and create an avenue for supply-chain abuse or unintended environment modification.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal