Skip to main content

canva-known-pitfalls

Helps developers identify and avoid common pitfalls when integrating with the Canva Connect API, ensuring best practices are followed.

Install this skill

or
57/100

Security score

The canva-known-pitfalls skill was audited on Jun 1, 2026 and we found 15 security issues across 3 threat categories. Review the findings below before installing.

Categories Tested

Security Issues

medium line 87

Template literal with variable interpolation in command context

SourceSKILL.md
87const { job } = await canvaAPI(`/exports/${req.params.jobId}`, token);
medium line 115

Template literal with variable interpolation in command context

SourceSKILL.md
115const design = await canvaAPI(`/designs/${id}`, token);
medium line 120

Template literal with variable interpolation in command context

SourceSKILL.md
120const design = await canvaAPI(`/designs/${id}`, token);
medium line 121

Template literal with variable interpolation in command context

SourceSKILL.md
121cache.set(`design:meta:${id}`, {
medium line 189

Template literal with variable interpolation in command context

SourceSKILL.md
189await notifyUser(`Edit your design before ${sevenDaysFromNow}: ${design.urls.edit_url}`);
low line 134

Fetch to external URL

SourceSKILL.md
134const tokens = await fetch('https://api.canva.com/rest/v1/oauth/token', {
medium line 160

Webhook reference - potential data exfiltration

SourceSKILL.md
160## Pitfall #8: Not Validating Webhook Signatures
low line 163

Webhook reference - potential data exfiltration

SourceSKILL.md
163// WRONG — accepts any POST as a valid webhook
low line 164

Webhook reference - potential data exfiltration

SourceSKILL.md
164app.post('/webhooks/canva', (req, res) => {
low line 170

Webhook reference - potential data exfiltration

SourceSKILL.md
170app.post('/webhooks/canva', express.text({ type: '*/*' }), async (req, res) => {
low line 171

Webhook reference - potential data exfiltration

SourceSKILL.md
171const payload = await verifyCanvaWebhook(req.body); // JWK verification
medium line 225

Webhook reference - potential data exfiltration

SourceSKILL.md
225| Unsigned webhooks | Security audit | JWK verification |
low line 134

External URL reference

SourceSKILL.md
134const tokens = await fetch('https://api.canva.com/rest/v1/oauth/token', {
low line 231

External URL reference

SourceSKILL.md
231- [Canva Authentication](https://www.canva.dev/docs/connect/authentication/)
low line 233

External URL reference

SourceSKILL.md
233- [Canva Scopes](https://www.canva.dev/docs/connect/appendix/scopes/)
Scanned on Jun 1, 2026
View Security Dashboard
Installation guide →
GitHub Stars 2.2K
Rate this skill
Categorydevelopment
UpdatedJune 10, 2026
claudeclaude-codefrontenddesignapibackendfrontend-developerbackend-developercanvadevelopment
jeremylongshore/claude-code-plugins-plus-skills