remotion-best-practices
Pass
Audited by Gen Agent Trust Hub on Feb 19, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS] (LOW): Multiple documentation files (rules/3d.md, rules/audio.md, rules/fonts.md, etc.) instruct users or agents to install official @remotion packages and the mediabunny library via npm, yarn, pnpm, or bun.\n- [COMMAND_EXECUTION] (LOW): The skill provides setup commands like 'npx remotion add' to be run in the terminal for environment configuration.\n- [DATA_EXFILTRATION] (LOW): The skill uses fetch() to access assets from external domains like remotion.media and lottiefiles.com. While these are for legitimate asset loading, they are non-whitelisted network operations.\n- [PROMPT_INJECTION] (LOW): The skill exhibits an indirect prompt injection surface by ingesting untrusted data from URLs.\n
- Ingestion points: calculateMetadata.md (JSON via fetch), lottie.md (JSON via fetch), import-srt-captions.md (text via fetch).\n
- Boundary markers: Absent; no clear delimiters are used to separate external data from system instructions in the examples.\n
- Capability inventory: Network fetch operations and dynamic component rendering based on external inputs.\n
- Sanitization: No sanitization of external text or JSON data is shown in the processing logic.
Audit Metadata