Maverick Canva Mcp
ReviewAudited by ClawScan on May 13, 2026.
Overview
This appears to be a disclosed Canva MCP wrapper that uses OAuth credentials and can manage Canva content, with no artifact-backed evidence of hidden exfiltration or destructive behavior.
Install this only if you want the agent to access and manage Canva content for the connected account. Review requests carefully before allowing edits, exports, sharing, publishing, or comments, and keep the OAuth tokens and local mcporter credentials vault protected.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent may follow Canva MCP’s live instructions when choosing and calling tools.
The skill intentionally relies on live MCP server instructions for tool usage. That is normal for a pass-through MCP integration, but remote instructions should be treated as tool guidance rather than allowed to override user intent or platform safety rules.
The output includes the server's `Instructions:` field, if published... Treat this as the authoritative reference for the rest of the session.
Use the official Canva endpoint only, and ensure the agent does not follow remote tool instructions that conflict with the user’s request or safety expectations.
If authorized, the agent may be able to change, share, publish, or comment on Canva assets in the connected account or team.
The skill can invoke Canva tools that mutate account or team content. The behavior is disclosed and purpose-aligned, and the skill instructs confirmation before changes.
Write-capable tools can create, edit, export, publish, share, comment on, or otherwise change Canva content visible to the connected account or team.
Confirm clear user intent before any write, share, publish, or export action, and review target designs/assets before editing.
The skill can act as the connected Canva account within whatever permissions the OAuth tokens grant.
The wrapper seeds OAuth access and refresh tokens into mcporter’s local credentials vault so mcporter can authenticate to Canva. This is expected for the integration and no unrelated credential use is shown.
tokens: {access_token: env.mcp_access, refresh_token: env.mcp_refresh, token_type: "Bearer"}Authorize only the intended Canva account/team, protect the environment variables and local mcporter vault, and revoke the integration if no longer needed.
The behavior of the integration depends partly on the installed `mcporter` package version.
The skill depends on an external Node package for MCP transport and OAuth handling. This dependency is central to the purpose, but the provided install declaration does not pin a package version.
"package": "mcporter", "bins": ["mcporter"]
Prefer installing a trusted, current `mcporter` release from the expected source and monitor updates, especially because it handles OAuth credentials.