Canva get-design-feedback — agentic threat model
The agent presents a low-to-moderate risk profile due to its read-only nature, primarily acting as a design critic. The main security boundary lies in the Canva Connector, where unauthorized data access or prompt injection via design content are the primary threats.
OWASP AIVSS score rationale
| Autonomy of Action | 0.20 | |
| Goal-Driven Planning | 0.10 | |
| Self-Modification | 0.00 | |
| Dynamic Tool Use | 0.20 | |
| Persistent Memory | 0.00 | |
| Contextual Awareness | 0.40 | |
| Dynamic Identity | 0.10 | |
| Multi-Agent Interactions | 0.00 | |
| Non-Determinism | 0.40 | |
| Opacity & Reflexivity | 0.30 |
Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.
MAESTRO 7-layer threat model
Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.
Not certain from the listing — likely uses a multimodal or text-based LLM to interpret design layouts. Threats include prompt injection via text elements embedded within the user's Canva design, which could hijack the critique output.
Reads live Canva designs via the Canva Connector. This introduces risks of unauthorized access to sensitive user templates, proprietary brand assets, or private design data if the connector's data access controls are bypassed.
Uses the Canva Connector as a read-only tool to fetch design data and injects design heuristics into the context. Risks include tool manipulation or indirect prompt injection where malicious design data alters the agent's heuristic evaluation logic.
Not certain from the listing — hosted within Canva's proprietary infrastructure. Threats include standard cloud hosting vulnerabilities and potential container isolation issues if the agent processes untrusted design files in a shared environment.
Not certain from the listing — no observability, logging, or guardrail mechanisms are described. Gaps here could allow silent failures or undetected data exfiltration via crafted design critiques.
Not certain from the listing — likely relies on Canva's native OAuth and session management. Threats include broken object-level authorization if the agent fails to verify that the active user has permission to read the requested design ID.
Not certain from the listing — operates as a standalone skill, but exists within the broader Canva ecosystem. Threats include horizontal escalation if other compromised Canva apps or agents can intercept its inputs or outputs.
MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).