remotion-best-practices
Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- [COMMAND_EXECUTION] (LOW): The skill contains multiple instructions to install npm packages using
npx remotion add,npm,yarn,pnpm, andbun. These commands are standard for setting up the Remotion environment and its official extensions. - [EXTERNAL_DOWNLOADS] (LOW): Code examples in files like
lottie.md,import-srt-captions.md, andcalculate-metadata.mdutilize thefetch()API to download external assets such as JSON files, subtitles, and remote video metadata. This is a common requirement for dynamic video generation. - [Indirect Prompt Injection] (LOW):
- Ingestion points: Untrusted data enters the agent's context through
fetch()operations for Lottie animations, SRT files, and API-driven metadata incalculateMetadatafunctions. - Boundary markers: No specific boundary markers or instructions to treat fetched content as untrusted are provided in the rules.
- Capability inventory: The skill uses
fetchand supports package installation via shell commands. - Sanitization: The skill advocates for the use of Zod schemas in
rules/parameters.md, which provides structured validation for component props and input data.
Audit Metadata