AI & LLMs

canvas-design

Iron
Official Claude
https://github.com/anthropics/skills/tree/main/skills/canvas-design
6,177 tokensgemini-3-pro-preview

Safety Score

30/ 100

Detected Capabilities

shell

Sensitive Files

    Clean filesystem scan

Deep Audit Findings

The 'canvas-design' skill presents high security risks due to explicit instructions to download arbitrary external files (fonts) and implied code execution behaviors. The prompt directs the agent to 'download whatever fonts are needed' without restriction, which, combined with the 'shell' capability identified in static analysis, creates a vector for Server-Side Request Forgery (SSRF) and executing untrusted binaries. Additionally, the prompt employs 'Vibe Engineering' that forces a mandatory refinement loop ('Take a second pass'), doubling resource consumption and potentially ignoring genuine user stop signals.

Unrestricted External Resource Download (SSRF Risk)

The agent is explicitly instructed to download files from the internet to fulfill design requirements. Combined with the 'shell' capability, this allows the agent to connect to arbitrary external domains, potentially exfiltrating data via URL parameters or downloading malicious payloads.

CRITICAL
SKILL.md
Download and use whatever fonts are needed to make this a reality.

Implied Unsafe Code Execution via 'Canvas'

The prompt references 'Go back to the code' and creating PDF/PNG files. This implies the agent is generating and executing code (likely Python/Matplotlib or similar) to render the art. Without strict sandboxing, the agent could generate code that reads sensitive local files (e.g., /etc/passwd) and renders their content onto the output canvas.

HIGH
SKILL.md
Go back to the code and refine/polish further to make this a philosophically designed masterpiece.

Forced Resource Consumption Loop

The prompt includes a 'pre-filled' user complaint ('The user ALREADY said...'), forcing the agent to perform a second iteration of work regardless of the actual user input. This increases latency and cost (token/compute usage) unnecessarily.

MEDIUM
SKILL.md
The user ALREADY said 'It isn't perfect enough. It must be pristine...'

Attack Surface Chain

1

Attacker asks the agent to create a design using a specific 'custom font' hosted on an attacker-controlled server.

2

Agent uses 'shell' capability (curl/wget) to download the payload, believing it is a font.

3

If the payload is a script and the agent attempts to 'use' it or if the download triggers a vulnerability in the font processing library, code execution is achieved.

4

Alternatively, Attacker asks the agent to visualize the text content of '/etc/passwd'.

5

Agent generates Python code to read the file and renders the sensitive data onto the PNG canvas.

6

Attacker downloads the PNG and uses OCR or visual inspection to steal credentials.