remotion

This skill's stated purpose—creating Remotion walkthrough videos from Stitch screens—is coherent with the documented capabilities. The principal risks are supply-chain and data-exposure related rather than clear malicious intent in the content: unpinned npm installs and npx usage, broad wildcard tool permissions for MCP access, downloading and parsing arbitrary HTML/assets, and the potential for project data to be sent to a remote Remotion MCP. These behaviors are plausible for the task but require stricter controls (least-privilege tool scopes, pinned dependencies/lockfiles, integrity checks for downloaded assets, explicit guidance on sanitizing parsed HTML, and clear trust boundary for any remote rendering service). I find no code-level backdoors or obfuscated payloads in the provided skill text; the main concern is operational: granting broad agent permissions and executing unpinned third-party code increases supply-chain and data-leak risk.