canva — agentic threat model
The Canva MCP server plugin for Claude Code introduces moderate risk by exposing design creation, modification, and brand-checking capabilities to an LLM. The primary threat vector is unauthorized asset manipulation or credential exposure via the authenticated MCP connection.
OWASP AIVSS score rationale
| Autonomy of Action | 0.60 | |
| Goal-Driven Planning | 0.50 | |
| Self-Modification | 0.10 | |
| Dynamic Tool Use | 0.70 | |
| Persistent Memory | 0.20 | |
| Contextual Awareness | 0.50 | |
| Dynamic Identity | 0.40 | |
| Multi-Agent Interactions | 0.30 | |
| Non-Determinism | 0.60 | |
| Opacity & Reflexivity | 0.40 |
Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.
MAESTRO 7-layer threat model
Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.
Not certain from the listing — Claude Code uses Anthropic's foundation models, but the specific model version, alignment, and vulnerability to adversarial prompt injection are not detailed in this plugin's context.
Not certain from the listing — The agent accesses Canva designs and brand assets, but details regarding vector database storage, RAG implementation, or data lineage are not specified.
The agent uses the Model Context Protocol (MCP) to orchestrate tools. Threats include tool misuse where Claude could be manipulated into deleting, corrupting, or unauthorized resizing of Canva designs.
The Canva MCP server runs locally or in a hosted environment to bridge Claude Code with Canva. Threats include local credential theft (Canva tokens) and unauthorized local access to the MCP port.
Not certain from the listing — There is no mention of logging, monitoring, or guardrails to detect anomalous design modifications or unauthorized tool calls initiated by the MCP server.
The MCP server is authenticated to Canva, acting on behalf of the user. Threats include credential leakage of Canva API keys/tokens and a lack of granular authorization, granting Claude broad access to the user's Canva account.
Claude Code acts as an orchestrator interacting with the Canva MCP server. Threats include cascading failures if Claude Code is compromised, leading to automated, malicious modifications across the user's entire Canva workspace.
MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).