Bona Movie Production

Security checks across malware telemetry and agentic risk

Overview

This skill is a straightforward Bona image/video generation client, with expected external API use and no evidence of hidden or destructive behavior.

Install this only if you trust the Bona service and are comfortable using a Bona API key for generation requests. Do not submit confidential prompts, private media URLs, or sensitive audio/video references unless you are comfortable with them being processed by the external provider.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill accepts image, video, audio, and reference URLs for external generation workflows but does not warn users that these assets will be sent to third-party services. This creates a privacy and data-handling risk because users may unknowingly submit sensitive or proprietary media to external providers.

Missing User Warnings

Medium

Confidence: 83% confidence
Finding: The skill transmits prompts and media-reference URLs to external services for image and video generation, but the code provides no explicit user-facing disclosure or consent step at the point of transmission. In an agent-skill context, prompts and referenced media can contain sensitive business, personal, or proprietary data, so silent exfiltration to third-party infrastructure creates a real privacy and data-governance risk.

VirusTotal

53/53 vendors flagged this skill as clean.

View on VirusTotal