ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Canva Skill

v1.0.0

Create, export, upload assets to, and manage Canva designs via the Canva Connect API. Use when the user wants to create social posts, posters, PPT/slide visu...

0· 63·0 current·0 all-time
by@jiangwill2023

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for jiangwill2023/canva-skill.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "Canva Skill" (jiangwill2023/canva-skill) from ClawHub.
Skill page: https://clawhub.ai/jiangwill2023/canva-skill
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install canva-skill

ClawHub CLI

Package manager switcher

npx clawhub@latest install canva-skill
Security Scan
Capability signals
Requires OAuth tokenRequires sensitive credentials
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The SKILL.md describes standard Canva Connect API operations (create, export, upload, autofill) which are consistent with the skill name and description. However, the package metadata lists no required environment variables or config paths even though the runtime instructions require a Client ID/Secret and a local token file (~/.canva/tokens.json). That mismatch is unexpected and reduces trustworthiness.
!
Instruction Scope
Runtime instructions explicitly tell the agent to read credentials from environment variables (CANVA_CLIENT_ID, CANVA_CLIENT_SECRET), to read/write a token file at ~/.canva/tokens.json, and to upload local files (e.g., @image.png). Those file/env accesses are narrowly scoped to Canva usage, but they are not declared in the skill metadata and therefore represent scope/visibility drift in the published manifest.
Install Mechanism
No install spec or code files are present; this is an instruction-only skill. That is low-risk from an installation/execution perspective because nothing is downloaded or written by an installer.
!
Credentials
The credentials requested by the SKILL.md (Client ID, Client Secret, and stored access/refresh tokens) are proportionate to integrating with Canva. However, the skill metadata does not declare these required environment variables or the token file path. The lack of declared sensitive requirements is a metadata/visibility problem: the skill will ask for secrets at runtime without declaring them up-front in the registry entry.
Persistence & Privilege
The skill does not request elevated platform privileges or permanent 'always' inclusion. It does instruct storing OAuth tokens under ~/.canva/tokens.json, which is reasonable for an OAuth-based workflow but should have been declared as a required config path.
What to consider before installing
This skill appears to implement real Canva API workflows, but its published metadata fails to declare the sensitive things the SKILL.md requires. Before installing or using it: - Verify the skill's source and trustworthiness (publisher identity is unknown here). - Expect to provide CANVA_CLIENT_ID and CANVA_CLIENT_SECRET and to perform OAuth; do not give broader credentials than necessary. Limit granted scopes to the minimum listed in SKILL.md. - The skill will store access tokens at ~/.canva/tokens.json — ensure you are comfortable with tokens on disk and set restrictive file permissions. - Prefer using a secure secret store rather than echoing secrets into shell exports in shared environments. - Ask the publisher to update the registry metadata to declare required env vars and config paths (CANVA_CLIENT_ID, CANVA_CLIENT_SECRET, ~/.canva/tokens.json). That change would remove the main incoherence. If you cannot verify the publisher, avoid installing or run it in an isolated environment (throwaway account or sandbox).

Like a lobster shell, security has layers — review code before you run it.

latestvk9765mr2aw57cm2evsnhhy7gtx85jqfh
63downloads
0stars
1versions
Updated 2d ago
v1.0.0
MIT-0
@jiangwill2023
latest
Download

Canva Skill

Use Canva Connect API for design creation, export, and asset upload workflows.

Prerequisites

Create a Canva Integration:

  1. Go to https://www.canva.com/developers/
  2. Create a new integration
  3. Get your Client ID and Client Secret

Set environment variables:

export CANVA_CLIENT_ID="your_client_id"
export CANVA_CLIENT_SECRET="your_client_secret"

Authenticate on first use and store tokens in ~/.canva/tokens.json.

API Base URL

https://api.canva.com/rest/v1

Authentication

Get access token from local token file:

ACCESS_TOKEN=$(cat ~/.canva/tokens.json | jq -r '.access_token')

Refresh tokens automatically when the auth flow supports it.

Core Operations

List Designs

curl -s "https://api.canva.com/rest/v1/designs" \
  -H "Authorization: Bearer $ACCESS_TOKEN" | jq .

Get Design Details

curl -s "https://api.canva.com/rest/v1/designs/{designId}" \
  -H "Authorization: Bearer $ACCESS_TOKEN" | jq .

Create Design from Template

curl -X POST "https://api.canva.com/rest/v1/autofills" \
  -H "Authorization: Bearer $ACCESS_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "brand_template_id": "TEMPLATE_ID",
    "data": {
      "title": {"type": "text", "text": "Your Title"},
      "body": {"type": "text", "text": "Your body text"}
    }
  }'

Export Design

Start export job:

curl -X POST "https://api.canva.com/rest/v1/exports" \
  -H "Authorization: Bearer $ACCESS_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "design_id": "DESIGN_ID",
    "format": {"type": "png", "width": 1080, "height": 1080}
  }'

Check export status:

curl -s "https://api.canva.com/rest/v1/exports/{jobId}" \
  -H "Authorization: Bearer $ACCESS_TOKEN" | jq .

Upload Asset

curl -X POST "https://api.canva.com/rest/v1/asset-uploads" \
  -H "Authorization: Bearer $ACCESS_TOKEN" \
  -H "Content-Type: application/octet-stream" \
  -H 'Asset-Upload-Metadata: {"name": "my-image.png"}' \
  --data-binary @image.png

List Brand Templates

curl -s "https://api.canva.com/rest/v1/brand-templates" \
  -H "Authorization: Bearer $ACCESS_TOKEN" | jq .

Export Formats

  • PNG: width, height, lossless
  • JPG: width, height, quality (1-100)
  • PDF: standard, print
  • MP4: for video designs
  • GIF: for animated designs

Common Workflows

Create Instagram Post

  1. List brand templates
  2. Find an Instagram post template
  3. Autofill with content
  4. Export as PNG 1080x1080
  5. Download exported file

Create Carousel

  1. Create multiple designs using autofill
  2. Export each as PNG
  3. Combine for posting

Batch Export

  1. List designs
  2. Loop through and export each
  3. Download all files

Error Handling

Handle common errors clearly:

  • 401: Token expired, refresh needed
  • 403: Missing required scope
  • 404: Design/template not found
  • 429: Rate limit exceeded

Required Scopes

  • design:content:read
  • design:content:write
  • asset:read
  • asset:write
  • brandtemplate:content:read

Tips

  • Prefer Brand Templates for posters and slides when available.
  • Batch exports to reduce repetitive work.
  • Cache commonly used template IDs locally.
  • Poll export jobs until complete before downloading.

Current Status

This local skill skeleton is installed in the workspace, but Canva API use is not ready until the integration credentials and first-time OAuth authentication are completed.

Comments

Loading comments...