remotion-best-practices
Pass
Audited by Gen Agent Trust Hub on Mar 5, 2026
Risk Level: SAFEPROMPT_INJECTIONEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill instructions and code examples define an indirect prompt injection surface where untrusted external data is ingested into the agent context.
- Ingestion points: The skill suggests fetching data from user-provided URLs in 'rules/calculate-metadata.md', API responses in 'rules/compositions.md', and remote subtitle/Lottie files in 'rules/import-srt-captions.md' and 'rules/lottie.md'.
- Boundary markers: The provided implementation patterns lack explicit boundary markers or instructions to disregard embedded commands in the fetched external content.
- Capability inventory: The skill utilizes the 'fetch' API for network operations and suggests executing the 'remotion' CLI via 'npx' for package management.
- Sanitization: No sanitization or validation logic is present in the examples to filter potential malicious instructions from the external data before it influences the rendering process.
- [EXTERNAL_DOWNLOADS]: The skill provides instructions for downloading official framework packages and external assets from well-known sources.
- Fetches configuration and instructions from the official 'remotion.dev' documentation.
- Downloads official '@remotion/*' packages using the 'remotion add' command.
- References media assets from 'lottiefiles.com' and other remote URLs for video composition content.
- [COMMAND_EXECUTION]: The skill includes instructions to execute the 'remotion' CLI for managing project dependencies and adding specific framework features.
- Recommends using 'npx remotion add' (or equivalent for bun, yarn, pnpm) to install necessary libraries like '@remotion/three', '@remotion/media', and '@remotion/captions'.
Audit Metadata