canva-automation

SUSPICIOUS: The skill’s Canva capabilities are broadly aligned with its stated purpose, and there is no malware-like installer or exploit behavior. However, the setup instructions are materially inconsistent with official docs about required credentials, and all user data and actions are routed through a third-party MCP/Composio broker rather than directly to Canva. That intermediary design is plausible for this ecosystem but adds medium risk around credential forwarding and data flow integrity.