ClawHub
Back to skill

Security audit

Maverick Canva Mcp

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed Canva MCP connector that stores user-provided Canva OAuth tokens locally so an agent can use Canva’s hosted tools.

Install only if you want an agent to act through your Canva account. Use the least-privileged Canva grant you can, review write actions before approval, avoid sending unrelated sensitive content through Canva tool arguments, and revoke the Canva integration when you no longer need it.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (4)

Tp4

High
Category
MCP Tool Poisoning
Confidence
99% confidence
Finding
This is a mismatch because the declared description claims end-user Canva functionality through a hosted MCP server, but the provided code does not implement any Canva design, asset, folder, export, brand, comment, or template operations. Instead, it is purely setup infrastructure for seeding OAuth credentials into mcporter's vault based on environment variables and config. While that may support connecting to an MCP server, the actual code shown is not a thin runtime pass-through to Canva's MCP and its primary purpose is materially different from the description.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
This shell script reads refresh tokens, access tokens, client IDs, and optionally client secrets from environment variables, then persists them via `mcporter vault set`. Although comments describe the behavior, there is no runtime confirmation, print/log message, or other user-facing disclosure when handling and storing these sensitive credentials.

Unrestricted Tool Access

Medium
Category
Excessive Agency
Content
The output includes the server's `Instructions:` field, if published, and a JSON Schema for every tool's parameters. Treat this as the authoritative reference for the rest of the session.

**Step 2 — Call any tool from the catalog** using the form `maverick-canva-mcp.<tool>`:

```sh
mcporter --config {baseDir}/mcporter.json call maverick-canva-mcp.<tool> <arg>=<value> ...
Confidence
80% confidence
Finding
Call any tool

Credential Access

High
Category
Privilege Escalation
Content
- `MAVERICK_CANVA_MCP_EXPIRES_IN`
- `MAVERICK_CANVA_MCP_REFRESH_TOKEN_EXPIRES_AT`

These expiry fields are vault metadata, not tool arguments. They let mcporter make better pre-request refresh decisions for the access token and preserve refresh-token expiry information when the upstream OAuth response includes it.

**Setup-time prerequisites.** Setup needs `bash`, `jq`, and `mcporter` (>= v0.11.0) on `PATH`. These are gated by the install caller, not by `requires.bins` in this file, which gates agent-runtime eligibility. If setup fails, verify those binaries are present and current before retrying.
Confidence
70% confidence
Finding
access token

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.exposed_secret_literal

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
scripts/init-mcporter-oauth.sh:77