Maverick Canva Mcp
PassAudited by VirusTotal on May 13, 2026.
Overview
Type: OpenClaw Skill Name: maverick-canva-mcp Version: 1.0.2 The skill is a legitimate integration for Canva's Model Context Protocol (MCP) server. It uses a setup script (init-mcporter.sh) to provision OAuth credentials into the local mcporter vault and a wrapper (invoke.sh) to execute commands. The implementation follows good security practices, such as using environment variables to pass secrets to jq and employing file locking for concurrency. No evidence of data exfiltration, malicious execution, or harmful prompt injection was found.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent may follow Canva MCP’s live instructions when choosing and calling tools.
The skill intentionally relies on live MCP server instructions for tool usage. That is normal for a pass-through MCP integration, but remote instructions should be treated as tool guidance rather than allowed to override user intent or platform safety rules.
The output includes the server's `Instructions:` field, if published... Treat this as the authoritative reference for the rest of the session.
Use the official Canva endpoint only, and ensure the agent does not follow remote tool instructions that conflict with the user’s request or safety expectations.
If authorized, the agent may be able to change, share, publish, or comment on Canva assets in the connected account or team.
The skill can invoke Canva tools that mutate account or team content. The behavior is disclosed and purpose-aligned, and the skill instructs confirmation before changes.
Write-capable tools can create, edit, export, publish, share, comment on, or otherwise change Canva content visible to the connected account or team.
Confirm clear user intent before any write, share, publish, or export action, and review target designs/assets before editing.
The skill can act as the connected Canva account within whatever permissions the OAuth tokens grant.
The wrapper seeds OAuth access and refresh tokens into mcporter’s local credentials vault so mcporter can authenticate to Canva. This is expected for the integration and no unrelated credential use is shown.
tokens: {access_token: env.mcp_access, refresh_token: env.mcp_refresh, token_type: "Bearer"}Authorize only the intended Canva account/team, protect the environment variables and local mcporter vault, and revoke the integration if no longer needed.
The behavior of the integration depends partly on the installed `mcporter` package version.
The skill depends on an external Node package for MCP transport and OAuth handling. This dependency is central to the purpose, but the provided install declaration does not pin a package version.
"package": "mcporter", "bins": ["mcporter"]
Prefer installing a trusted, current `mcporter` release from the expected source and monitor updates, especially because it handles OAuth credentials.