The Agent Skills Directory

Indirect Prompt Injection (LOW): The skill documentation includes patterns for fetching data from external URLs (such as JSON metadata, Lottie animation files, and SRT subtitles) during the rendering process. While standard for the Remotion ecosystem, this represents a potential surface where untrusted data could be ingested into the video generation pipeline.
Evidence: rules/calculate-metadata.md, rules/compositions.md, and rules/lottie.md all demonstrate the use of fetch() to retrieve external resources.
Credential Handling (SAFE): The skill provides instructions for managing ElevenLabs API keys for AI voiceover generation. It correctly advises the use of environment variables and .env files rather than hardcoding credentials, and it explicitly instructs the AI agent to ask the user for the key if it is not configured.
Evidence: rules/voiceover.md contains clear guidelines on setting up ELEVENLABS_API_KEY safely.
External Downloads (LOW): The skill includes instructions for downloading and installing specialized binaries (such as Whisper.cpp) and models for transcription tasks. These operations are performed via reputable community packages (@remotion/install-whisper-cpp) and are intended for local development environments.
Evidence: rules/transcribe-captions.md provides an example script that uses installWhisperCpp and downloadWhisperModel.

remotion-best-practices