HIGH RISK NaN/100

@iflow-mcp/mattcoatsworth-canva-mcp-server

Unknown developer

Threat Summary

Risk Level
Critical Issues
High Issues
Total Findings

Key Security Threats

HIGH Malware Signature

YARA rule match: -postinstall_file_manipulation

/tmp/extract-bbd817342138661ddd3b37ad5dc6b3b64fdbc188aa3060aa601dac173b5da192-3912018426/src/resources.js

HIGH Exposed Secret

MCP transport security issue: HARDCODED-TOKEN-.env

.env

HIGH Malware Signature

YARA rule match: -credential_env_files

/tmp/extract-bbd817342138661ddd3b37ad5dc6b3b64fdbc188aa3060aa601dac173b5da192-3912018426/src/api-client.js

HIGH Malware Signature

YARA rule match: -postinstall_environment_access

/tmp/extract-bbd817342138661ddd3b37ad5dc6b3b64fdbc188aa3060aa601dac173b5da192-3912018426/src/api-client.js

HIGH Malware Signature

YARA rule match: -credential_env_files

/tmp/extract-bbd817342138661ddd3b37ad5dc6b3b64fdbc188aa3060aa601dac173b5da192-3912018426/README.md

All Findings (38)

View all 38 security findings
Malware Signature

YARA rule match: -postinstall_file_manipulation

Exposed Secret

MCP transport security issue: HARDCODED-TOKEN-.env

Malware Signature

YARA rule match: -credential_env_files

Malware Signature

YARA rule match: -postinstall_environment_access

Malware Signature

YARA rule match: -credential_env_files

Malware Signature

YARA rule match: -postinstall_network_communication

Indicator of Compromise

XIOC detected Domain: asset.id

Indicator of Compromise

XIOC detected Domain: brand.name

Indicator of Compromise

XIOC detected URL: https://example.com/thumbnail.jpg',

Indicator of Compromise

XIOC detected URL: https://example.com/asset.jpg'

Indicator of Compromise

XIOC detected URL: https://www.canva.dev/

Indicator of Compromise

XIOC detected URL: https://www.canva.com/design/$

Indicator of Compromise

XIOC detected Domain: brand.id

Indicator of Compromise

XIOC detected URL: https://api.canva.com/v1';

Indicator of Compromise

XIOC detected Domain: color.name

Indicator of Compromise

XIOC detected Domain: brand.fonts.map

Indicator of Compromise

XIOC detected Domain: font.name

Indicator of Compromise

XIOC detected Domain: github.com

Indicator of Compromise

XIOC detected URL: https://github.com/iflow-mcp/mattcoatsworth-canva-mcp-server

Indicator of Compromise

XIOC detected Domain: api.canva.com

Indicator of Compromise

XIOC detected Domain: response.data

Indicator of Compromise

XIOC detected Domain: error.response.data

Indicator of Compromise

XIOC detected Domain: www.canva.dev

Indicator of Compromise

XIOC detected Domain: www.canva.com

Indicator of Compromise

XIOC detected Domain: design.id

Indicator of Compromise

XIOC detected Domain: brand.colors.map

metadata

HASH-77afa981e946f616

metadata

HASH-cd0e05b90dd41c07

metadata

HASH-00c1212e99cf7b4a

metadata

HASH-b292c1e66aea5b22

metadata

HASH-58557d09097b90ae

metadata

HASH-d54d7f4c7766fc07

metadata

HASH-1911973a7dfc3f60

metadata

HASH-39e7b2558ada07dc

metadata

HASH-94fa02a7b9930bdc

metadata

HASH-63d1615721de36e1

metadata

HASH-de46fe1c58ead693

metadata

HASH-1fdb92e54b591404

Recommended Action

This extension has significant security concerns that warrant careful review. Consider uninstalling or finding a safer alternative. If you must use it, limit the permissions and monitor for suspicious activity.

View Full Security Report Find Safer Alternatives

Analysis performed on 4/18/2026 · Version unknown

Data sourced from automated security scanning. For detailed analysis, view the full security scorecard.