Canvas

Security checks across malware telemetry and agentic risk

Overview

This appears to be a purpose-aligned Canvas integration, but users should be careful with live write and raw proxy operations.

Install only if you intend to let an agent work with your Canvas data. Prefer read-only and prebuilt actions first, explicitly confirm any create, update, delete, or raw proxy request, and use/revoke least-privilege credentials.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The skill documents create/update operations and raw proxy requests without emphasizing that these can change live course, assignment, and user records. In an agent setting, that omission increases the chance of unintended destructive or privacy-impacting actions, especially when the agent may choose from both read and write paths autonomously.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal