remotion-best-practices
Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- EXTERNAL_DOWNLOADS (SAFE): The skill provides instructions to install various official @remotion packages and the mediabunny library using standard package managers. These are trusted dependencies within the Remotion ecosystem.
- COMMAND_EXECUTION (SAFE): Shell command examples for adding Remotion plugins (e.g., 'npx remotion add @remotion/three') are provided. These are standard and expected operations for the target framework.
- DATA_EXFILTRATION (SAFE): Code examples include fetch() calls to external APIs or assets (e.g., Lottie files). These target public or illustrative URLs and do not involve sensitive local data.
- PROMPT_INJECTION (LOW): The skill demonstrates patterns for fetching data from dynamic URLs via calculateMetadata. This presents an attack surface for indirect prompt injection if the source is untrusted. Evidence: Ingestion points: rules/calculate-metadata.md; Boundary markers: None; Capability inventory: network fetches, dynamic props; Sanitization: None.
- REMOTE_CODE_EXECUTION (SAFE): No instances of downloading and executing remote scripts or piping content to shells were detected.
Audit Metadata