v0.1.0

Bona Movie Production

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 8:03 AM.

Analysis

This appears to be a straightforward Bona API client for image and video generation, but users should notice that it needs a Bona API key and sends prompts or media references to Bona’s remote service.

GuidanceBefore installing, verify that you trust the Bona API endpoint, expect to provide BONA_API_KEY and have the requests package available, avoid sending confidential media unless acceptable, and check generated task status/results carefully because the documented and coded status values appear inconsistent.

Findings (4)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Agentic Supply Chain Vulnerabilities

SeverityInfoConfidenceHighStatusNote

metadata

Required env vars: none ... Primary credential: none ... No install spec — this is an instruction-only skill.

The registry metadata under-declares setup needs compared with SKILL.md and code, which reference requests and BONA_API_KEY. This is a disclosure/setup gap rather than evidence of hidden behavior.

User impactA user may not realize from registry metadata alone that the skill needs a Python dependency and a Bona API key.

RecommendationUpdate registry metadata to declare the requests dependency and BONA_API_KEY requirement clearly.

Tool Misuse and Exploitation

SeverityLowConfidenceMediumStatusNote

scripts/bona_movie_production.py

PROCESSING_STATUSES = {0, "0", ...}; SUCCESS_STATUSES = {1, "1", ...}; FAILED_STATUSES = {2, "2", 3, "3", ...}

The visible code treats status 1 as success, while SKILL.md describes status 9 as complete, -1 as failed, and 1 as still generating. This could make task polling unreliable.

User impactThe skill may return too early or wait until timeout depending on the provider’s actual status values.

RecommendationAlign the polling constants with the provider’s documented status codes and confirm a result URL or final artifact before presenting generation as complete.

Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse

SeverityLowConfidenceHighStatusNote

scripts/bona_movie_production.py

DEFAULT_LOGIN_URL = "https://create.bonanai.com/api/auth/loginByAccessKey" ... json={"accessKey": self.api_key}

The client logs in to Bona using an API key and then uses a bearer token for generation requests. This is expected for the stated service, but it is still account-authorized access.

User impactA Bona API key may allow use of the user’s Bona account or quota for image and video generation.

RecommendationUse a Bona API key intended for this service, verify the Bona endpoint before use, and rotate the key if it is exposed or no longer needed.

Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Insecure Inter-Agent Communication

SeverityLowConfidenceHighStatusNote

scripts/bona_movie_production.py

requests.post(f"{self.base_url}/image", headers=self.headers, json=payload, timeout=self.timeout) ... requests.post(f"{self.base_url}/video", headers=self.headers, json=payload, timeout=self.timeout)

Image and video prompts, plus any reference media URLs included in the payload, are sent to a remote Bona API. This is purpose-aligned, but it is an external data flow.

User impactPrivate prompts, image URLs, video URLs, or audio references could be disclosed to the remote generation provider.

RecommendationDo not submit confidential media or sensitive prompt text unless you are comfortable sending it to the Bona service under its terms.