remotion-best-practices
Pass
Audited by Gen Agent Trust Hub on Mar 2, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill facilitates the download of external tools and assets, including the Whisper.cpp binary via the @remotion/install-whisper-cpp package, and various remote audio/video assets from well-known services like ElevenLabs and Mapbox.
- [COMMAND_EXECUTION]: Multiple rules describe the use of command-line tools such as ffmpeg, ffprobe, npx remotion, and custom Node.js scripts to perform video rendering, transcription, and asset management.
- [PROMPT_INJECTION]: An indirect prompt injection surface is present in several components that fetch external data (e.g., Lottie JSON, SRT captions, and dynamic metadata) and process it into video content.
- Ingestion points: rules/calculate-metadata.md (fetches from props.dataUrl), rules/display-captions.md (fetches JSON captions), rules/import-srt-captions.md (fetches SRT files), and rules/lottie.md (fetches Lottie animations).
- Boundary markers: Code examples do not demonstrate the use of delimiters or 'ignore' instructions for external content.
- Capability inventory: The skill utilizes subprocess execution for rendering (remotion) and file system access (fs.writeFileSync) for saving generated assets.
- Sanitization: No sanitization or validation of external text/data is performed before it is interpolated into the React rendering cycle or metadata calculations.
Audit Metadata