博乐故事创作系统,输入提示词,创建视频故事
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone who can read execution logs may be able to reuse the Bole access token to access or modify the user's Bole account resources.
The code obtains a bearer access token from BOLE_ACCESS_KEY and prints it to stderr, where logs or surrounding systems may capture it.
access_token = resp_json.get("data", {}).get("access_token")
print(f"access_token: {access_token}", file=sys.stderr)Do not use this version unless token logging is removed or redacted, and ensure BOLE_ACCESS_KEY is declared and handled as a secret.
Generated content and account activity may be placed into an unexpected Bole project, potentially mixing user data or affecting resources the user did not intend to use.
The skill uses the user's authenticated token to create Bole resources under a fixed hardcoded project ID, without letting the user choose or confirm the project scope.
project_id = "2033716579396616193" episode_id = create_episode(token, project_id)
Require an explicit user-provided project ID or clearly disclose the fixed project, and confirm before creating or modifying Bole account resources.
Users have less assurance that the reviewed package identity matches the published skill they intend to install.
The bundled metadata conflicts with the registry identity shown for this skill, which is slug bole-story-creator, version 1.0.0, and a different owner ID.
"ownerId": "kn7edm8zkg9qx4ec9dxapn0f5x833km7", "slug": "boka-movie-skills", "version": "1.0.1"
Publish consistent metadata across the registry and package files, and provide a clear source or homepage for provenance.
If the Bole API never reports completion, the skill may keep running and making API calls until manually stopped.
The code repeatedly polls Bole API status without a maximum retry count or timeout.
while not get_tracks(token, workspace_id):
time.sleep(10)
...
while not check_final_video_status(token, workspace_id):
time.sleep(10)Add bounded retries, a timeout, and a clear error message when generation does not complete.