AgentReadyHomeAgent Listing

← Canva edit-design

Canva edit-design — agentic threat model

7.9AIVSS 7.9 · High

The Canva edit-design agent presents moderate-to-high risk due to its write-capable API access to user design assets, translating natural language directly into file mutations without explicit confirmation mechanisms mentioned in the listing.

OWASP AIVSS score rationale

AIVSS = (CVSS_Base + AARS) × Mitigation_Factor, where AARS = (10 − CVSS_Base) × (Factor_Sum / 10) × ThM
CVSS base 6.5AARS uplift 1.4Factor sum 3.8/10Threat ×1.05Mitigation ×1.0
Autonomy of Action
0.60
Goal-Driven Planning
0.40
Self-Modification
0.00
Dynamic Tool Use
0.70
Persistent Memory
0.20
Contextual Awareness
0.50
Dynamic Identity
0.10
Multi-Agent Interactions
0.20
Non-Determinism
0.60
Opacity & Reflexivity
0.50

Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.

MAESTRO 7-layer threat model

Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.

L1 · Foundation Models⚠ not certain from listing

Not certain from the listing — relies on an unspecified foundation model to translate natural language into Canva API mutations; vulnerable to prompt injection that could force unauthorized design modifications or deletion of elements.

L2 · Data Operations⚠ not certain from listing

Not certain from the listing — the agent interacts with Canva design files and metadata via the Canva Connector MCP, but the exact data storage, caching, or vector database usage for design context is not specified.

L3 · Agent Frameworks✓ mapped

Utilizes the Canva Connector MCP (Model Context Protocol) tools to execute API design mutations. Vulnerable to tool misuse or parameter injection if the framework fails to validate the generated API payloads before sending them to Canva.

L4 · Deployment & Infrastructure⚠ not certain from listing

Not certain from the listing — the hosting environment of the MCP connector and the agent's execution sandbox are unspecified, presenting risks of token exposure or unauthorized network egress if compromised.

L5 · Evaluation & Observability⚠ not certain from listing

Not certain from the listing — there is no mention of real-time guardrails, transaction logging, or user-in-the-loop approval mechanisms to monitor and intercept destructive design mutations.

L6 · Security & Compliance (cross-cutting)✓ mapped

Requires OAuth or API token authorization to access and mutate the user's real Canva files. Security relies heavily on the scope of permissions granted to the Canva Connector and whether it enforces least-privilege access.

L7 · Agent Ecosystem✓ mapped

Operates as an 'Agent Skill' within a broader ecosystem. If integrated into a multi-agent workflow, a compromised upstream agent could abuse this skill to silently deface, delete, or exfiltrate proprietary design assets.

MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).