Back to skill

Security audit

Canva Automation

Security checks across malware telemetry and agentic risk

Overview

This skill appears to do what it claims: automate Canva through a third-party MCP server, with normal content-sharing risks for exported designs.

Install only if you are comfortable connecting your Canva workflow to Rube's MCP server. Avoid sending private Canva designs through the skill unless needed, and treat exported files, asset URLs, and download links as sensitive content that should not be logged, pasted publicly, or retained unnecessarily.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (1)

Missing User Warnings

Low
Confidence
84% confidence
Finding
The skill documents how to export Canva designs and retrieve downloadable URLs, but it does not warn users that exported files and time-limited download links may contain sensitive design content and can be exposed if logged, pasted into chats, or shared insecurely. In an automation context, omissions like this can lead users or downstream agents to treat export URLs as harmless operational data when they are effectively access-bearing references to user content.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.