stitch-remotion
Pass
Audited by Gen Agent Trust Hub on Apr 2, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: Fetches project screenshots and HTML metadata from Stitch (a Google service) and downloads official animation libraries from the Remotion npm registry.
- [COMMAND_EXECUTION]: Uses Bash to manage Node.js environments, install project dependencies (npm install), and execute the video rendering pipeline (npx remotion render).
- [DYNAMIC_EXECUTION]: Programmatically generates TypeScript React components (ScreenSlide.tsx and WalkthroughComposition.tsx) at runtime based on project-specific metadata to define the video structure.
- [PROMPT_INJECTION]: The skill ingests project-specific data to generate video overlays and narration scripts, creating an indirect prompt injection surface.
- Ingestion points: Screen titles, descriptions, and HTML code retrieved from Stitch projects via the get_screen tool (SKILL.md).
- Boundary markers: None identified in the provided instructions.
- Capability inventory: File system writes, Bash execution, and programmatic video rendering via Remotion (SKILL.md).
- Sanitization: No explicit sanitization or filtering of external project content is described.
Audit Metadata