remotion
Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: SAFEPROMPT_INJECTION
Full Analysis
- [Indirect Prompt Injection] (LOW): The skill identifies surfaces for ingesting untrusted data through network fetches in several components. (1) Ingestion points: fetch calls in references/calculate-metadata.md, references/import-srt-captions.md, and references/lottie.md. (2) Boundary markers: No delimiters or warnings to ignore instructions within the data are present in the examples. (3) Capability inventory: The skill performs network operations and dynamic property updates for rendering video content. (4) Sanitization: No explicit sanitization or validation of the fetched data is demonstrated in the code examples.
- [Dynamic Execution] (LOW): The use of calculateMetadata and dynamic asset loading (fonts, media) involves runtime logic to determine composition properties. This is a standard framework feature and does not involve unsafe execution of untrusted code strings.
- [Unverifiable Dependencies & Remote Code Execution] (SAFE): The skill recommends installing several official @remotion scope packages. No piped remote script execution or untrusted source patterns were found.
Audit Metadata