Canvas Design Pro

Security checks across malware telemetry and agentic risk

Overview

This is an instruction-only visual design skill with a real but limited caution around open-ended font downloads.

Install only if you want an opinionated visual-art skill. Ask the agent to use bundled, already-installed, or explicitly approved fonts, and require confirmation before any external font download.

SkillSpector

By NVIDIA

Vulnerability Patterns

Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (2)

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: The instruction to "download and use whatever fonts are needed" expands the skill from local art generation into network-enabled retrieval of arbitrary external resources. That creates unnecessary supply-chain and data-exposure risk, since a compromised or untrusted font source could deliver malicious content or cause the agent to contact external systems without a user-justified need.

Vague Triggers

Medium

Confidence: 78% confidence
Finding: The description says the skill should be used for posters, art, design, or other static pieces, which is broad enough to match many ordinary requests outside a narrowly defined visual-art workflow. Overbroad routing can cause the agent to invoke this powerful skill unnecessarily, increasing exposure to its file-generation and network-related behaviors in contexts where simpler or safer handling would suffice.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal