The Agent Skills Directory

[DATA_EXFILTRATION]: The skill fetches data and uploads assets from arbitrary, user-provided URLs in Step 1 and Step 5. While central to its bulk-creation features, this involves network requests to external domains.
[PROMPT_INJECTION]: The skill processes untrusted tabular data from files, URLs, and text inputs without explicit sanitization or boundary markers. This creates an indirect prompt injection surface where malicious content in the data could attempt to influence the agent's execution logic during the batch process. * Ingestion points: Data extraction from files, pasted text, and remote URLs (Step 1). * Boundary markers: Absent; no instructions are provided to the agent to disregard instructions embedded within the data. * Capability inventory: Use of Canva:upload-asset-from-url and Canva:autofill-design tools. * Sanitization: Absent; data values are mapped directly from input to template fields.

canva-bulk-create