canva
Pass
Audited by Gen Agent Trust Hub on Mar 13, 2026
Risk Level: SAFE
Full Analysis
- [SAFE]: No malicious patterns, prompt injections, or security vulnerabilities were identified in the skill's implementation or instructions.- [CREDENTIALS_UNSAFE]: The skill stores OAuth authentication tokens in
~/.mcp-skill/auth/. This is standard behavior for MCP skills to maintain user sessions and does not constitute a security risk in this context.- [EXTERNAL_DOWNLOADS]: The skill specifies a dependency on themcp-skillPython package, which is the standard library for building and interacting with MCP-based skills.- [DATA_EXFILTRATION]: All tool calls are routed through the official Canva MCP endpoint (https://mcp.canva.com/mcp). No evidence of data exfiltration to unauthorized third-party services was found.
Audit Metadata