Canva branded-presentation — agentic threat model
The Canva branded-presentation agent presents moderate risk, primarily centered around prompt injection manipulating workspace content and Brand Kit assets via its template connector. As an inactive reference skill, it lacks built-in security guardrails, relying entirely on the host platform's integration security.
OWASP AIVSS score rationale
| Autonomy of Action | 0.40 | |
| Goal-Driven Planning | 0.50 | |
| Self-Modification | 0.00 | |
| Dynamic Tool Use | 0.30 | |
| Persistent Memory | 0.10 | |
| Contextual Awareness | 0.40 | |
| Dynamic Identity | 0.20 | |
| Multi-Agent Interactions | 0.10 | |
| Non-Determinism | 0.60 | |
| Opacity & Reflexivity | 0.50 |
Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.
MAESTRO 7-layer threat model
Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.
Not certain from the listing — The underlying foundation model is not specified. Standard LLM risks like prompt injection and adversarial manipulation could force the agent to generate inappropriate content or misapply brand assets.
Not certain from the listing — The agent accesses Brand Kits and templates via a Connector, but the data storage, vectorization, and retrieval mechanisms are not detailed.
The agent framework orchestrates template selection and multi-slide generation. Threats include insecure tool integration via the Canva Connector, where malicious prompts could hijack the tool to overwrite existing workspace presentations or exfiltrate brand assets.
Not certain from the listing — The skill is shipped in an inactive-skills set as a reference. Hosting, sandboxing, and network isolation details are completely dependent on the deployment environment.
Not certain from the listing — There is no mention of logging, guardrails, or observability tools to monitor template selection or output generation quality.
Not certain from the listing — The agent relies on the Canva Connector for authorization, but specific identity management, access controls, and compliance policies are not defined in this reference skill.
As a skill designed to be integrated into a broader workspace, it faces ecosystem risks where other compromised agents in the same environment could trigger this skill to generate spam or unauthorized brand materials.
MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).