canva
Warn
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: MEDIUMDATA_EXFILTRATIONCOMMAND_EXECUTION
Full Analysis
- Indirect Prompt Injection (MEDIUM): The skill creates a significant attack surface by allowing the agent to perform write operations (create designs, upload assets, export files) based on untrusted external data.
- Ingestion points: Untrusted data enters the skill via
scripts/canva.sharguments, specifically theautofillJSON payload anduploadfile paths. - Boundary markers: Absent. The skill does not use delimiters or instructions to prevent the agent from obeying commands embedded in design templates or asset names.
- Capability inventory: The skill utilizes
curlfor network requests toapi.canva.com, handles file uploads, and generates export URLs for designs. - Sanitization: Absent. User-provided data is interpolated directly into shell commands and JSON strings in
scripts/canva.sh, which could lead to malformed requests or logic bypass. - Data Exposure & Credentials (LOW): The skill manages sensitive OAuth 2.0 credentials.
- Evidence:
scripts/canva-auth.shstores access and refresh tokens in plain text at~/.canva/tokens.json. While it correctly applieschmod 600to restrict access, these tokens remain a high-value target for local data exposure. - Persistence (LOW): The documentation encourages users to modify sensitive shell configuration files.
- Evidence:
README.mdsuggests addingCANVA_CLIENT_IDandCANVA_CLIENT_SECRETto~/.bashrcor~/.zshrcfor persistence, which is a standard configuration practice but involves modifying shell profiles.
Audit Metadata