Canvas LMS

Security checks across malware telemetry and agentic risk

Overview

This is a simple Canvas LMS API helper that uses a user-provided Canvas token to read course, grade, assignment, file, and inbox data.

Install only if you are comfortable letting the agent use your Canvas API token to read educational records such as grades, submissions, messages, and course files. Verify CANVAS_URL is your school's real Canvas domain, keep the token out of shared logs or committed .env files, minimize sensitive queries, and revoke the token when you no longer need it.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The skill explicitly instructs users to configure a long-lived Canvas API token and access highly sensitive student data such as grades, submissions, inbox messages, and course materials, but it provides no privacy notice, consent guidance, or data-handling constraints. In an agent setting, this omission increases the risk of over-collection, accidental disclosure, or use of educational records without clear user awareness, which is especially sensitive because Canvas data may include FERPA-protected information.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal