remotion-best-practices
Pass
Audited by Gen Agent Trust Hub on Mar 6, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONDATA_EXFILTRATION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill documentation provides instructions for installing various Remotion sub-packages and utilities from npm/yarn/pnpm/bun. These include
@remotion/three,@remotion/media-utils,@remotion/media,@remotion/paths, and@remotion/captions. All listed packages are official parts of the Remotion ecosystem. - [COMMAND_EXECUTION]: The skill includes shell command examples for developers to run during setup, such as
npx remotion add @remotion/three. These are standard installation commands for the framework. - [DATA_EXFILTRATION]: Code examples in
calculate-metadata.mdandcompositions.mddemonstrate the use of thefetchAPI to retrieve dynamic data from external URLs (e.g.,props.dataUrl). While this is a standard feature for dynamic video generation, it represents a data ingestion surface that should be monitored for Server-Side Request Forgery (SSRF) if user-provided URLs are not validated. - [INDIRECT_PROMPT_INJECTION]: The skill has an attack surface for indirect injection as it processes external data through
fetchcalls and media processing libraries likemediabunny. - Ingestion points:
calculate-metadata.md,compositions.md, anddisplay-captions.mdutilizefetchto ingest data from remote URLs or local files into the composition's props. - Boundary markers: The provided code examples do not include explicit boundary markers or instructions to ignore embedded commands in the fetched data.
- Capability inventory: The skill primarily uses these ingestion points to set composition metadata (duration, dimensions) or render text/media content. It does not demonstrate automated execution of commands based on this data, though it provides instructions for manual setup commands.
- Sanitization: The examples do not demonstrate sanitization or schema validation of the JSON responses fetched from external sources.
Audit Metadata