remotion-best-practices
Pass
Audited by Gen Agent Trust Hub on Mar 6, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill guides the installation of various official Remotion packages and third-party libraries (e.g., mapbox-gl, turf, zod) through standard package managers.
- [EXTERNAL_DOWNLOADS]: Provides instructions for downloading Whisper.cpp binaries and machine learning models using the @remotion/install-whisper-cpp library.
- [COMMAND_EXECUTION]: Includes CLI command examples for package management, FFmpeg operations via the Remotion CLI, and the execution of Node.js scripts for audio transcription.
- [DATA_EXFILTRATION]: Code examples demonstrate fetching data and assets from external APIs (ElevenLabs, LottieFiles) and dynamic URLs provided via component props, which is standard functionality for video generation.
- [PROMPT_INJECTION]: The skill includes instructions for the AI agent to follow specific logic, such as prompting the user for an API key if environment variables are missing.
- [PROMPT_INJECTION]: Potential indirect injection surfaces exist where the agent is instructed to fetch and process data from external URLs (e.g., props.dataUrl in rules/calculate-metadata.md and rules/display-captions.md). There are no explicit boundary markers or sanitization steps shown in the snippets, though the risk is low as this is a standard data-processing pattern.
Audit Metadata