The Agent Skills Directory

[EXTERNAL_DOWNLOADS]: The skill provides instructions for installing numerous official packages from the @remotion ecosystem (e.g., @remotion/media, @remotion/three, @remotion/captions) and other well-known libraries such as mapbox-gl and zod via standard package managers.
[EXTERNAL_DOWNLOADS]: In rules/transcribe-captions.md, the skill describes using @remotion/install-whisper-cpp to programmatically download and install the Whisper.cpp binary and associated models. This is a legitimate utility for the skill's primary purpose of audio transcription.
[COMMAND_EXECUTION]: The skill includes code snippets for executing system-level commands, specifically utilizing FFmpeg via bunx or child_process.execSync to perform video processing tasks like trimming and format conversion.
[CREDENTIALS_UNSAFE]: Documentation in rules/maps.md and rules/voiceover.md guides users to store REMOTION_MAPBOX_TOKEN and ELEVENLABS_API_KEY in a .env file. These instructions use placeholder text and represent standard secure development practices for managing third-party API keys.
[PROMPT_INJECTION]: The skill has an attack surface for indirect prompt injection (Category 8) because it processes untrusted external data sources, such as fetching JSON from remote URLs (Lottie animations) or parsing user-supplied subtitle files (.srt), and possesses capabilities like system command execution (FFmpeg).
Ingestion points: rules/calculate-metadata.md (fetch dataUrl), rules/import-srt-captions.md (fetch srt), rules/lottie.md (fetch json).
Boundary markers: Absent in provided snippets.
Capability inventory: fetch(), child_process.execSync() (ffmpeg), fs.writeFileSync().
Sanitization: Not explicitly implemented in documentation examples. This finding is assessed as low risk because these operations are fundamental to the skill's intended purpose of dynamic video generation.

remotion-best-practices