remotion-render

[Skill Scanner] Pipe-to-shell or eval pattern detected All findings: [CRITICAL] command_injection: Pipe-to-shell or eval pattern detected (CI013) [AITech 9.1.4] [CRITICAL] command_injection: Natural language instruction to download and install from URL detected (CI009) [AITech 9.1.4] [CRITICAL] command_injection: Natural language instruction to download and install from URL detected (CI009) [AITech 9.1.4] This package/documentation implements a legitimate remote TSX-to-video rendering service. The primary security concerns are supply-chain and data-exfiltration risks: (1) the recommended curl | sh installer pattern and remote binary download from dist.inference.sh; (2) uploading and executing arbitrary user code and props on a third-party backend (which may expose secrets or allow unintended network/file access); and (3) implied credential handling via infsh login. There is no direct evidence in the provided materials of embedded malware or backdoors, but operational trust in the inference.sh distribution and runtime environment is required. Mitigations: avoid pipe-to-shell installs (manually download & verify checksums), do not include secrets in uploaded code/props, review service's runtime isolation and data retention policies, and limit use to non-sensitive inputs or run a local renderer when possible. LLM verification: No explicit malware is present in the SKILL.md content itself, and the skill's capabilities align with its stated purpose (remote Remotion rendering). However, the use of a pipe-to-shell installer, distribution from project-controlled domains, and the requirement to upload arbitrary TSX and to log into the CLI create meaningful supply-chain and data-exfiltration risks. Treat this skill as suspicious: safe only if you trust the inference.sh provider, manually verify downloaded binaries/checksums,