remotion-best-practices
Pass
Audited by Gen Agent Trust Hub on Mar 12, 2026
Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The transcription guide (rules/transcribe-captions.md) provides code examples that reference using child_process.execSync to run ffmpeg commands for audio conversion.
- [EXTERNAL_DOWNLOADS]: The skill recommends installing multiple dependencies from the @remotion ecosystem and third-party libraries like mapbox-gl and zod. It also includes patterns for downloading external assets and binaries, such as Whisper.cpp models and Lottie animations from remote URLs.
- [PROMPT_INJECTION]: Multiple rules (rules/calculate-metadata.md, rules/lottie.md, and rules/compositions.md) describe fetching JSON data from external URLs provided through component props.
- Ingestion points: Data entering via fetch() from props.dataUrl, props.videoId, or remote Lottie asset URLs.
- Boundary markers: The provided examples do not implement boundary markers or instructions to ignore instructions embedded in the fetched data.
- Capability inventory: The skill environment includes network access via fetch() and the ability to execute system commands via the child_process module.
- Sanitization: There is no evidence of sanitization or validation of the fetched external JSON content before it is passed to React components or the Remotion metadata pipeline.
Audit Metadata