Trust Assessment
canvas received a trust score of 36/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 4 findings: 1 critical, 2 high, 1 medium, and 0 low severity. Key findings include Network egress to untrusted endpoints, Missing required field: name, Arbitrary URL Loading via 'present' and 'navigate' actions.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 18, 2026 (commit b62bd290). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings4
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Network egress to untrusted endpoints HTTP request to raw IP address Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains. | Manifest | skills/canvas/SKILL.md:114 | |
| HIGH | Arbitrary URL Loading via 'present' and 'navigate' actions The 'canvas' skill allows loading arbitrary URLs into the connected node's canvas (WebView) via the 'present' and 'navigate' actions. Specifically, the `target` parameter for `present` and the `url` parameter for `navigate` accept full URLs. If an attacker can control these parameters, they can direct the WebView to load any website, including malicious ones. This could lead to phishing attacks, drive-by downloads (if the WebView is not adequately sandboxed), or other web-based exploits, as the WebView would render content from an attacker-controlled domain. Implement strict validation for URLs passed to 'present' and 'navigate' actions. Ideally, restrict URLs to a whitelist of trusted domains or only allow loading content from the local canvas host. Ensure the WebView is configured with robust security policies, such as Content Security Policy (CSP), and runs in a highly sandboxed environment to mitigate the impact of loading untrusted content. Consider if the ability to load arbitrary external URLs is truly necessary for the skill's functionality. | LLM | SKILL.md:47 | |
| HIGH | Arbitrary JavaScript Execution via 'eval' action The 'canvas' skill exposes an 'eval' action that allows executing arbitrary JavaScript within the connected node's canvas (WebView). If an attacker can control the JavaScript string passed to this action, they can perform actions such as data exfiltration (e.g., reading cookies, local storage, or other data accessible to the WebView's origin and sending it to an attacker-controlled server), phishing, or other malicious activities within the context of the WebView. This is a direct JavaScript injection vulnerability. Implement strict input validation and sanitization for the JavaScript string passed to the 'eval' action. Consider if arbitrary JavaScript execution is truly necessary; if not, replace it with more specific, safer actions. If 'eval' is essential, ensure the WebView operates in a highly sandboxed environment with minimal permissions, restricted network access, and an isolated origin to limit the impact of malicious scripts. Educate users about the risks of executing untrusted JavaScript. | LLM | SKILL.md:49 | |
| MEDIUM | Missing required field: name The 'name' field is required for claude_code skills but is missing from frontmatter. Add a 'name' field to the SKILL.md frontmatter. | Static | skills/canvas/SKILL.md:1 |
Scan History
Embed Code
[](https://skillshield.io/report/7563179b7275e14d)
Powered by SkillShield