Security audit

Canvas Design Anthropic

Security checks across malware telemetry and agentic risk

Overview

This is an instruction-only visual design skill whose main risk is that it may tell the agent to fetch external fonts for artwork.

Install only if you are comfortable with a creative design skill that may ask the agent to retrieve fonts from external sources. In sensitive or controlled environments, tell the agent to use only local or preapproved fonts and review generated files before publishing.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (3)

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: The skill explicitly authorizes downloading arbitrary fonts, which introduces unnecessary network access and external content retrieval into a design workflow that should be satisfiable with local assets. This expands the attack surface by allowing unvetted third-party resources, creates privacy and supply-chain risk, and can trigger unexpected outbound requests without clear user consent.

Vague Triggers

Medium

Confidence: 84% confidence
Finding: The invocation language is very broad ('poster, piece of art, design, or other static piece'), which increases the chance the skill will be triggered for a wide range of generic creative requests. Over-broad routing is dangerous because it can cause this skill's more permissive behaviors—such as external font retrieval—to activate in contexts where the user did not specifically request them.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The instructions permit external font downloads without warning the user that network activity or third-party asset retrieval may occur. This is risky because it undermines informed consent, may disclose user/request metadata through outbound requests, and exposes the workflow to untrusted remote content in a skill that otherwise appears local and static.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal