Skip to main content

canva-security-basics

Implements security best practices for Canva Connect API OAuth tokens, ensuring secure access and integration.

Install this skill

or
37/100

Security score

The canva-security-basics skill was audited on May 19, 2026 and we found 27 security issues across 4 threat categories. Review the findings below before installing.

Categories Tested

Security Issues

medium line 77

Template literal with variable interpolation in command context

SourceSKILL.md
77const basicAuth = Buffer.from(`${clientId}:${clientSecret}`).toString('base64');
medium line 82

Template literal with variable interpolation in command context

SourceSKILL.md
82'Authorization': `Basic ${basicAuth}`,
low line 79

Fetch to external URL

SourceSKILL.md
79await fetch('https://api.canva.com/rest/v1/oauth/revoke', {
medium line 29

Webhook reference - potential data exfiltration

SourceSKILL.md
29Security best practices for Canva Connect API OAuth 2.0 tokens, client credentials, and webhook verification. The Canva API uses OAuth with PKCE — there are no static API keys.
low line 103

Webhook reference - potential data exfiltration

SourceSKILL.md
103// Full collaboration — includes comments and webhooks
medium line 112

Webhook reference - potential data exfiltration

SourceSKILL.md
112## Webhook Signature Verification
medium line 114

Webhook reference - potential data exfiltration

SourceSKILL.md
114Canva signs webhook payloads with JWK. Verify before processing.
low line 119

Webhook reference - potential data exfiltration

SourceSKILL.md
119// Fetch Canva's public keys for webhook verification
low line 125

Webhook reference - potential data exfiltration

SourceSKILL.md
125async function verifyCanvaWebhook(
low line 126

Webhook reference - potential data exfiltration

SourceSKILL.md
126token: string, // JWT from Canva webhook
low line 139

Webhook reference - potential data exfiltration

SourceSKILL.md
139app.post('/webhooks/canva', express.text({ type: '*/*' }), async (req, res) => {
low line 140

Webhook reference - potential data exfiltration

SourceSKILL.md
140const result = await verifyCanvaWebhook(req.body);
low line 143

Webhook reference - potential data exfiltration

SourceSKILL.md
143await handleWebhookEvent(result.payload);
medium line 156

Webhook reference - potential data exfiltration

SourceSKILL.md
156- [ ] Webhook signatures verified with JWK
medium line 168

Webhook reference - potential data exfiltration

SourceSKILL.md
168| Unsigned webhook | Missing verification | Always verify JWK signature |
medium line 175

Webhook reference - potential data exfiltration

SourceSKILL.md
175- [Webhook Keys API](https://www.canva.dev/docs/connect/api-reference/webhooks/keys/)
low line 36

Access to .env file

SourceSKILL.md
36# .env (NEVER commit)
low line 41

Access to .env file

SourceSKILL.md
41.env
low line 42

Access to .env file

SourceSKILL.md
42.env.local
low line 43

Access to .env file

SourceSKILL.md
43.env.*.local
medium line 151

Access to .env file

SourceSKILL.md
151- [ ] `.env` files in `.gitignore`
low line 79

External URL reference

SourceSKILL.md
79await fetch('https://api.canva.com/rest/v1/oauth/revoke', {
low line 120

External URL reference

SourceSKILL.md
120// GET https://api.canva.com/rest/v1/connect/keys
low line 122

External URL reference

SourceSKILL.md
122new URL('https://api.canva.com/rest/v1/connect/keys')
low line 173

External URL reference

SourceSKILL.md
173- [Canva Authentication](https://www.canva.dev/docs/connect/authentication/)
low line 174

External URL reference

SourceSKILL.md
174- [Canva Scopes](https://www.canva.dev/docs/connect/appendix/scopes/)
low line 175

External URL reference

SourceSKILL.md
175- [Webhook Keys API](https://www.canva.dev/docs/connect/api-reference/webhooks/keys/)
Scanned on May 19, 2026
View Security Dashboard
Installation guide →
GitHub Stars 2.2K
Rate this skill
Categorydevelopment
UpdatedJune 10, 2026
claude-codeapifrontend-developercanvadevelopment
jeremylongshore/claude-code-plugins-plus-skills