remotion-best-practices
Pass
Audited by Gen Agent Trust Hub on Mar 10, 2026
Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill provides commands for the user or agent to run package installation via npx, bunx, yarn, and pnpm. Examples include npx remotion add @remotion/three and @remotion/media.
- [EXTERNAL_DOWNLOADS]: The skill documents fetching remote assets (videos, images, audio) and data files (JSON for metadata, SRT for captions, Lottie JSON) using the fetch() API and Remotion's media components. It also instructs the agent to fetch documentation from remotion.dev.
- [PROMPT_INJECTION]: The skill exhibits an indirect prompt injection surface by processing untrusted external data.
- Ingestion points: calculateMetadata (rules/calculate-metadata.md) fetches JSON from props.dataUrl, parseSrt (rules/import-srt-captions.md) processes subtitles from remote files, and Lottie components fetch JSON from external URLs.
- Boundary markers: None identified in the provided code snippets to delimit external content.
- Capability inventory: The skill uses fetch to retrieve data and renders it through React components in the Remotion environment.
- Sanitization: No explicit sanitization or validation of the fetched content is described in the rules.
Audit Metadata