remotion-best-practices
Pass
Audited by Gen Agent Trust Hub on Feb 19, 2026
Risk Level: SAFE
Full Analysis
- Indirect Prompt Injection (LOW): Several rule files (e.g.,
rules/calculate-metadata.md,rules/lottie.md,rules/import-srt-captions.md) provide examples of fetching remote data from URLs or APIs. This represents a vulnerability surface where untrusted data is ingested into the agent's context. - Ingestion points:
fetch()calls incalculateMetadataand component effects for assets like Lottie JSON and SRT subtitles. - Boundary markers: Not explicitly defined in snippets.
- Capability inventory: Network operations (
fetch), file reads (staticFile), and command execution (CLI installation helpers). - Sanitization: No explicit sanitization of external data is shown in the examples.
- External Downloads (SAFE): The skill references various
@remotion/*utility packages and Google Fonts. These are standard dependencies for the Remotion framework and are fetched from legitimate registries (npm) or CDNs. - Command Execution (SAFE): The skill includes instructions for installing necessary dependencies using package managers (npm, yarn, pnpm, bun). These are standard development practices and do not involve obfuscated or malicious commands.
Audit Metadata