Bona Movie Production
PassAudited by ClawScan on May 1, 2026.
Overview
This appears to be a Bona API client for image and video generation, with expected use of a Bona API key and remote generation requests.
This skill looks purpose-aligned for Bona image and video generation. Before installing, make sure you trust the Bona service, understand that your prompts and reference media URLs are sent to its API, and use an API key you are comfortable granting for generation tasks.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing or using the skill may allow generation requests under the user's Bona account and could consume account quota or credits.
The skill exchanges a Bona API key for an access token and uses it to authorize API requests. This is expected for the service, but it is still account-level credential use.
json={"accessKey": self.api_key} ... "Authorization": f"Bearer {self._get_access_token()}"Use a dedicated or least-privileged Bona API key if available, avoid sharing the key, and monitor account usage.
Prompts and referenced images, videos, or audio URLs used with the skill may be processed by the external Bona service.
The skill sends generation payloads, which may include prompts and reference media URLs, to Bona's remote API. This is central to the skill's function and is visibly disclosed by the code.
requests.post(f"{self.base_url}/image", headers=self.headers, json=payload, timeout=self.timeout) ... requests.post(f"{self.base_url}/video", headers=self.headers, json=payload, timeout=self.timeout)Do not submit confidential prompts or private media URLs unless you are comfortable with Bona processing that content.
Users may not realize from the registry-level requirements that the skill needs Python dependencies and a Bona API key before use.
SKILL.md declares a Python dependency and required API key, while the registry summary lists no required environment variables and no install spec. This is a metadata/setup clarity issue, not evidence of hidden behavior.
dependencies:\n - requests ... env:\n - name: BONA_API_KEY\n required: true
Review SKILL.md before installation and ensure Python, requests, and BONA_API_KEY are configured intentionally.