Gigma Design Canvas
v1.0.1AI-powered design tool with a real editable canvas and full MCP control. Create, edit, and export social media graphics, thumbnails, banners, cards, and batc...
⭐ 0· 76·1 current·1 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
medium confidencePurpose & Capability
The skill is an instruction-only connector to a cloud design service and its listed tools (create/update elements, export PNGs, project management) align with that purpose. It does not request unrelated binaries or env vars. Requiring an MCP credential (embedded token) is expected for a write-capable design service.
Instruction Scope
SKILL.md confines runtime actions to Gigma operations (list/create/switch projects, canvas and element CRUD, export). It does not instruct the agent to read local files, arbitrary system paths, or unrelated credentials. The only sensitive action is pasting your MCP config (token) into the agent's MCP settings so the skill can operate.
Install Mechanism
No install spec or code files are present; this is an instruction-only skill. That minimizes disk writes and supply-chain risk.
Credentials
The skill declares no environment variables, which fits because auth is handled by an MCP link you paste. However, that MCP config contains an embedded token that grants design-level access (create/edit/delete/export). This is proportionate to the feature set, but the token is sensitive and not modeled as a platform-declared credential — you must treat it like a password and only provide it to services/agents you trust.
Persistence & Privilege
The skill is not marked always:true and does not request to modify other skills or system settings. Model invocation is allowed (the platform default), so the agent can call the skill autonomously, which is expected for an action-oriented tool.
Assessment
This skill appears to do what it says: control a cloud design canvas via an MCP token. Before using it, verify you trust the external service (gigma.10xboost.org and the linked GitHub) because you will paste an MCP config containing a token that can create/edit/delete projects and export images. Treat that token like a password: use a dedicated/test account if possible, avoid pasting the token into untrusted/public chat, and regenerate the token after testing. Be aware that images you point to will be fetched server-side (which can reveal the image URL to the service). If you need higher assurance, ask the vendor for an audit, review their source repository, or use an account scoped and isolated from sensitive data.Like a lobster shell, security has layers — review code before you run it.
latestvk97fnkb72sedz9c45vpq2y69es83pqna
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
🎨 Clawdis