ClawHub

Midjourney Image

Security checks across malware telemetry and agentic risk

Overview

This skill is an instruction-only Midjourney/AceDataCloud integration that openly sends prompts and image URLs to a third-party API, with privacy caveats but no hidden or destructive behavior found.

Install only if you are comfortable sending prompts, image URLs, and related metadata to AceDataCloud/Midjourney-related services. Use a dedicated API token where possible, avoid secrets, confidential images, internal URLs, or regulated personal data, and verify the optional mcp-midjourney package or hosted MCP endpoint before enabling it.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (4)

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill clearly instructs users to send prompts and image URLs to AceDataCloud's external Midjourney API, but it does not explicitly warn that potentially sensitive user content will leave the local environment and be processed by a third party. In a skill that handles free-form prompts, uploaded image references, and reverse-prompting, this omission creates a real privacy and data-governance risk even if the functionality is intended.

Natural-Language Policy Violations

Medium
Confidence
89% confidence
Finding
The documentation presents `translation: true` as a supported behavior that auto-translates non-English prompts before submission, without emphasizing user consent or the privacy implications of sending transformed content to another service path. Automatic translation can expose sensitive text the user may not expect to be altered or relayed, and may also change prompt meaning in ways that affect safety or compliance.

External Transmission

Medium
Category
Data Exfiltration
Content
## Quick Start — Generate an Image

```bash
curl -X POST https://api.acedata.cloud/midjourney/imagine \
  -H "Authorization: Bearer $ACEDATACLOUD_API_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"prompt": "a futuristic city at sunset, cyberpunk style --ar 16:9", "wait": true}'
Confidence
95% confidence
Finding
curl -X POST https://api.acedata.cloud/midjourney/imagine \ -H "Authorization: Bearer $ACEDATACLOUD_API_TOKEN" \ -H "Content-Type: application/json" \ -d

External Transmission

Medium
Category
Data Exfiltration
Content
## Quick Start — Generate an Image

```bash
curl -X POST https://api.acedata.cloud/midjourney/imagine \
  -H "Authorization: Bearer $ACEDATACLOUD_API_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"prompt": "a futuristic city at sunset, cyberpunk style --ar 16:9", "wait": true}'
Confidence
95% confidence
Finding
https://api.acedata.cloud/

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal