remotion-best-practices
Pass
Audited by Gen Agent Trust Hub on Mar 6, 2026
Risk Level: SAFE
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill guides users to install various official and standard packages required for video production, including
@remotion/three,@remotion/media,mapbox-gl,zod, andmediabunny. - [COMMAND_EXECUTION]: Provides instructions for using Remotion's CLI tools (e.g.,
npx remotion add,bunx remotion ffmpeg) to manage project dependencies and perform video processing tasks. - [REMOTE_CODE_EXECUTION]: Utilizes the
@remotion/install-whisper-cpplibrary which programmatically installs the Whisper.cpp binaries and models. This is a documented and intended functionality for audio transcription within the Remotion ecosystem. - [DATA_EXFILTRATION]: Instructs users on how to manage sensitive environment variables like
ELEVENLABS_API_KEYandREMOTION_MAPBOX_TOKEN. These are used for legitimate authentication with established third-party services (ElevenLabs and Mapbox). - [INDIRECT_PROMPT_INJECTION]: The skill establishes several data ingestion points where external, potentially untrusted data is processed, such as fetching Lottie JSON animations, SRT subtitles, and caption files.
- Ingestion points: rules/lottie.md (Lottie JSON), rules/import-srt-captions.md (SRT files), rules/display-captions.md (Caption JSON).
- Boundary markers: Not explicitly defined in code snippets, though this is typical for asset-loading logic.
- Capability inventory: Uses
fetch(),installWhisperCpp(), andextractFrames()(via Mediabunny). - Sanitization: Standard React rendering and Mediabunny parsing are used, which provide baseline protection, though developers should remain cautious of untrusted asset sources.
Audit Metadata