remotion-promo-video-factory
Pass
Audited by Gen Agent Trust Hub on Mar 20, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- [PROMPT_INJECTION]: The skill ingests data from local project context (README, docs, landing pages) to inform narrative and video creation, which represents an indirect prompt injection surface.\n
- Ingestion points: Identified in SKILL.md Step 1 as project READMEs, documentation, and existing UI examples.\n
- Boundary markers: No explicit markers or instructions are provided to the agent to distinguish between project data and instructions within those files.\n
- Capability inventory: The agent can execute provided shell scripts (scripts/capture-frames.sh, scripts/verify-build.sh) and run commands via npx.\n
- Sanitization: No sanitization or validation of the ingested project data is implemented in the workflow.\n- [COMMAND_EXECUTION]: The skill includes shell scripts for automation. scripts/capture-frames.sh executes npx remotion still to capture frames, and scripts/verify-build.sh runs npx tsc and npm run to verify project integrity.\n- [EXTERNAL_DOWNLOADS]: The skill triggers downloads and executions of Node.js packages via npx and npm as part of its standard build and verification process.
Audit Metadata