ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Midjourney Image

v1.0.0

Generate, edit, blend, upscale, and describe images with Midjourney via AceDataCloud API. Use when creating AI images from text prompts, editing existing ima...

0· 53·0 current·0 all-time
by@germey
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Pending
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description (Midjourney image generation) matches the instructions: curl calls to https://api.acedata.cloud endpoints and workflows for imagine, edits, blend, describe, videos, etc. However, the SKILL.md declares that ACEDATACLOUD_API_TOKEN is required while the registry metadata lists no required environment variables — this mismatch is an inconsistency.
Instruction Scope
The instructions only describe calling AceDataCloud endpoints, setting an ACEDATACLOUD_API_TOKEN, and optionally installing/using mcp-midjourney. They do not instruct reading unrelated files, other credentials, or exfiltrating local data. The skill will send user-provided prompts and image URLs to a third-party API, which is expected behavior for this purpose.
Install Mechanism
This is instruction-only (no install spec, no code files) which is low-risk. SKILL.md suggests 'pip install mcp-midjourney' or using hosted MCP; recommending an unvetted third‑party package is a minor risk (package provenance/behavior not reviewed). There is no automatic installer in the skill itself.
!
Credentials
The runtime docs require ACEDATACLOUD_API_TOKEN (Bearer token) which is proportional to calling the AceDataCloud API. But the registry metadata does not declare any required env vars, creating an ambiguity: the skill expects a credential that is not declared. Ensure you only provide a token scoped appropriately and avoid using high-privilege credentials.
Persistence & Privilege
The skill does not request always: true and offers no install/writes; it is user-invocable with normal autonomous-invocation allowed. There is no evidence it attempts to modify other skills or system-wide settings.
What to consider before installing
This skill appears to implement what it claims (calls AceDataCloud Midjourney endpoints) but take these precautions before using it: - Confirm the ACEDATACLOUD_API_TOKEN is actually required and comes from a trusted AceDataCloud account; avoid using any broad or long-lived credentials unless necessary. - The registry metadata omitted the token requirement — ask the publisher to fix this mismatch before trusting automation. - The skill suggests installing 'mcp-midjourney' via pip; verify that package on PyPI/GitHub and review its code or reputation before installing. - Be cautious about sending sensitive or private images to a third‑party API (the skill will POST image URLs and data to api.acedata.cloud). - If you need stronger assurance, request the publisher’s homepage/repo or an install spec and confirm the domain (api.acedata.cloud) and package sources are legitimate.

Like a lobster shell, security has layers — review code before you run it.

latestvk979c1f98518b0rtr58zvay68183cny1

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments