remotion-best-practices
Pass
Audited by Gen Agent Trust Hub on Mar 8, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill provides numerous instructions for installing official Remotion packages (e.g.,
@remotion/three,@remotion/media,@remotion/captions,@remotion/lottie) and well-known libraries likezod,mapbox-gl, and@turf/turf. These downloads target the official NPM registry and recognized technology providers. - [COMMAND_EXECUTION]: Code examples include shell commands for package management (
npm install,npx remotion add,yarn add,bun i). These are standard for setting up a Remotion development environment and do not involve unauthorized or hidden command execution. - [DATA_EXFILTRATION]: While the skill demonstrates fetching data from external URLs (e.g., Lottie files, subtitles, and API endpoints in
calculateMetadata), these operations are part of the framework's intended functionality for dynamic video generation. No unauthorized data exfiltration or sensitive file access was found. - [CREDENTIALS_UNSAFE]: The
rules/maps.mdfile references a Mapbox access token stored in an environment variable. The provided code uses a placeholder value (pk.your-mapbox-access-token) and does not leak any real credentials. - [PROMPT_INJECTION]: The markdown content consists solely of technical documentation and code examples without any instructions designed to bypass AI safety filters or override system prompts.
Audit Metadata