canvas-a2ui

This skill is conceptually benign for programmatic diagram/chart/image generation and its capabilities match its stated purpose. However, several legitimate features carry meaningful security risk if misconfigured: canvas_eval allows arbitrary JS execution in the browser context, canvas_image can cause reads of arbitrary local files, and the optional local server creates an exposed surface. The documentation's note permitting network access "unless explicitly allowed" is a notable risk because enabling network access would permit easy exfiltration of canvas contents or files rendered to canvas. Overall the skill is not demonstrably malicious based on the provided documentation, but it is potentially exploitable and should be treated as suspicious unless deployed with strict sandboxing, read/write restrictions, and network controls.