ClawHub

Auto Midjourney

Security checks across malware telemetry and agentic risk

Overview

This skill is mostly a real Midjourney automation tool, but it asks for live account/session access and includes broad browser-control helpers that need manual review.

Install only if you are comfortable giving the skill access to a logged-in Midjourney browser session. Use a dedicated Chrome profile, keep MJ_COOKIE out of chats and repos, set explicit rate limits, review output directories and logs, and avoid running the raw eval/fetch helper scripts directly unless you understand the browser-session access they provide.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
Findings (33)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
def _run_osascript(script: str) -> str:
    completed = subprocess.run(
        ["osascript", "-e", script],
        stdout=subprocess.PIPE,
        stderr=subprocess.PIPE,
Confidence
90% confidence
Finding
completed = subprocess.run( ["osascript", "-e", script], stdout=subprocess.PIPE, stderr=subprocess.PIPE, text=True, check=False, )

subprocess module call

Medium
Category
Dangerous Code Execution
Content
return False, completed.stderr.strip() or "open returned non-zero exit status"
            return True, ""

        subprocess.Popen(
            command,
            stdout=subprocess.DEVNULL,
            stderr=subprocess.DEVNULL,
Confidence
87% confidence
Finding
subprocess.Popen( command, stdout=subprocess.DEVNULL, stderr=subprocess.DEVNULL, stdin=subprocess.DEVNULL, start_new_session=True,

subprocess module call

Medium
Category
Dangerous Code Execution
Content
def _launch_chrome(command: list[str], *, use_open: bool) -> tuple[bool, str]:
    try:
        if use_open:
            completed = subprocess.run(
                command,
                stdout=subprocess.PIPE,
                stderr=subprocess.PIPE,
Confidence
86% confidence
Finding
completed = subprocess.run( command, stdout=subprocess.PIPE, stderr=subprocess.PIPE, text=True, check=False,

Tainted flow: 'command' from os.getenv (line 586, credential/environment) → subprocess.Popen (code execution)

Medium
Category
Data Flow
Content
return False, completed.stderr.strip() or "open returned non-zero exit status"
            return True, ""

        subprocess.Popen(
            command,
            stdout=subprocess.DEVNULL,
            stderr=subprocess.DEVNULL,
Confidence
92% confidence
Finding
subprocess.Popen( command, stdout=subprocess.DEVNULL, stderr=subprocess.DEVNULL, stdin=subprocess.DEVNULL, start_new_session=True,

Tainted flow: 'command' from os.getenv (line 586, credential/environment) → subprocess.run (code execution)

Medium
Category
Data Flow
Content
def _launch_chrome(command: list[str], *, use_open: bool) -> tuple[bool, str]:
    try:
        if use_open:
            completed = subprocess.run(
                command,
                stdout=subprocess.PIPE,
                stderr=subprocess.PIPE,
Confidence
91% confidence
Finding
completed = subprocess.run( command, stdout=subprocess.PIPE, stderr=subprocess.PIPE, text=True, check=False,

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
This script accepts URLs extracted from JSON manifests and passes them to a browser-backed fetch/conversion routine without validating scheme, host, or destination. In the context of an authenticated Midjourney browser session, that expands a local file conversion tool into a network-capable fetch primitive that could be abused for SSRF-like access, unintended requests to attacker-controlled endpoints, or exfiltration of session-linked metadata via browser requests.

Context-Inappropriate Capability

Medium
Confidence
81% confidence
Finding
The browser helper path can fetch and convert arbitrary image URLs, which extends the skill from Midjourney-specific automation into a more general authenticated browser-fetch capability. In an agent setting, this increases the risk of SSRF-like access, cross-origin authenticated fetching, or unintended access to sensitive resources reachable from the browser context.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The file exposes generic authenticated browser JavaScript evaluation through browser_eval_json rather than a narrowly scoped Midjourney API. In the context of a skill that operates against a logged-in browser session, this enables arbitrary DOM access, authenticated requests, and data extraction well beyond the declared image-generation purpose.

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
browser_fetch_json provides an arbitrary authenticated fetch primitive capable of reaching any URL with browser session context, especially via CDP/Playwright or the AppleScript fallback. That exceeds the stated Midjourney automation purpose and can be abused to access unrelated authenticated web resources or perform actions as the user.

Context-Inappropriate Capability

Low
Confidence
89% confidence
Finding
The generic binary fetch and image conversion helpers add broad capability to download arbitrary content through the browser and transform it in-page. While less severe than arbitrary eval/fetch, these functions still expand the skill into a general-purpose authenticated data retrieval and processing tool unrelated to its declared scope.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The script performs authenticated in-browser fetches to a caller-controlled request URL while explicitly including browser credentials. Because the skill is designed to use an authenticated Midjourney browser session and also mentions reverse-engineering workflows, this effectively creates a generic ambient-authority request primitive that can send requests as the logged-in user to arbitrary origins reachable by the page context, enabling abuse of session cookies, CSRF-style actions, or data exfiltration from trusted web contexts.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The code can attach to an existing page or create a new one based solely on a caller-supplied pageUrl, then use CDP Runtime/Page/Network capabilities against that page. In combination with cookie setting and authenticated fetch execution, this broadens the tool from a Midjourney-specific helper into a general browser automation capability that can operate on arbitrary sites in the user's authenticated browser context.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The eval mode executes arbitrary JavaScript inside an authenticated browser page via page.evaluate(... eval(source)). In the context of a skill explicitly designed to reuse a logged-in Midjourney browser session and reverse-engineer website workflows, this enables arbitrary code execution in the page origin, allowing theft of session data accessible to page scripts, unauthorized actions as the user, and broad abuse beyond the stated automation purpose.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
Fetch mode performs credentialed requests from the authenticated browser context to an arbitrary --request-url with credentials included. Because the skill is meant to operate using an authenticated alpha.midjourney.com session and even encourages reverse-engineering workflows, this can be abused to issue unauthorized authenticated requests, probe internal or unintended endpoints, and exfiltrate response data from trusted origins reachable by the page context.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The skill description and trigger guidance are broad enough to auto-activate on many generic Midjourney-related requests, including prompt optimization, reverse engineering, cookie sharing, and website workflow capture. That increases the chance the agent invokes credential-handling and network automation behavior without a narrowly scoped, explicit user request, which is risky given the use of authenticated browser sessions and local downloads.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill explicitly instructs use of a full authenticated Cookie header, infers user identifiers from that cookie, performs browser-backed requests against an authenticated service, and downloads generated assets locally, but it does not present a clear privacy and data-handling warning. In context, this is dangerous because mishandling the cookie or downloaded artifacts could expose account access, session secrets, user identifiers, or private generated content.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The notes explicitly document authenticated requests that rely on a live session cookie and also describe account/user-state retrieval, but they do not place prominent security guidance around handling those secrets. In a skill designed to automate against an authenticated web session and to accept shared cookies or reverse-engineered request samples, this omission increases the chance that users or maintainers will paste, log, store, or commit reusable session credentials and account data.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The file explicitly states that the skill reuses an authenticated Midjourney browser session, watches page resources, and downloads or converts result files, but it does not pair these capabilities with user-consent, privacy, or scope-limiting guidance. In the context of an automation skill that operates against a live logged-in browser, this can lead to unintended access to account-scoped data or silent handling of downloaded content beyond what the user expects.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
When --sync-user-state is enabled, the script fetches account state from the remote Midjourney service and then includes that full object in both partial and final output JSON. That can expose account metadata, preferences, or other service-returned fields to logs or files without minimization or explicit user disclosure, which is a privacy and sensitive-data handling issue.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The script retrieves authenticated Midjourney user state and prints it to stdout or writes it to an arbitrary output file without any warning, redaction, or access control. In this skill's context, that state is tied to an authenticated browser session and may contain account metadata or other sensitive session-derived information that could be exposed through logs, terminals, shared workspaces, or insecure files.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The code automatically sends authentication cookies and related tokens in outbound requests without any user-visible consent, warning, or scoping safeguards. In this skill's context, those cookies are the primary account credential for Midjourney Alpha, so accidental disclosure, reuse against unintended hosts, or opaque authenticated actions are materially sensitive.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The usage log persists prompts, timestamps, job IDs, mode, and submit URL to disk without consent or minimization. Prompts may contain sensitive user data or proprietary creative content, so silent retention creates privacy and data exposure risk if the local state directory is accessible to other processes or users.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The code reads MJ_COOKIE from the environment and passes it to helper subprocesses as a command-line argument. Secrets in argv are commonly exposed to local process inspection, logs, crash reports, or debugging tools, creating unnecessary risk of session-token leakage.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
This skill silently launches Chrome with remote debugging enabled and then automates authenticated browsing without clear user-facing notice at the code level. In a security-sensitive context, hidden browser automation increases the risk of consent bypass and unexpected access to active session data.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The script accepts a raw Cookie header and programmatically injects those cookies into an authenticated browser session for Midjourney. In the context of this skill, that enables credential/session replay and impersonation of a user's web session, which is sensitive because the skill description explicitly encourages use with shared cookies and reverse-engineering of the website workflow.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal