remotion-best-practices
Pass
Audited by Gen Agent Trust Hub on Feb 26, 2026
Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- [COMMAND_EXECUTION]: The skill documentation describes the use of
ffmpegandffprobethrough theremotionCLI for video processing tasks such as trimming and metadata extraction. - [EXTERNAL_DOWNLOADS]: The skill provides instructions for installing and using the
@remotion/install-whisper-cpppackage, which downloads the Whisper.cpp binary and associated AI models to the local environment for speech-to-text transcription. This is a vendor-supported tool intended for caption generation. - [EXTERNAL_DOWNLOADS]: The skill references several official
@remotion/scoped packages (e.g.,@remotion/three,@remotion/lottie,@remotion/captions) that are standard extensions for the video framework. - [EXTERNAL_DOWNLOADS]: The code examples demonstrate fetching remote assets, including Lottie animations from LottieFiles and metadata from user-defined API endpoints via
fetch(). - [SAFE]: Evaluation of Indirect Prompt Injection (Category 8) vulnerability surface:
- Ingestion points: Remote JSON data via
calculateMetadata, external caption files (.srt,.json), and remote media sources (images, videos, audio). - Boundary markers: No specific delimiters are used to wrap external content.
- Capability inventory: Access to
ffmpegandffprobevia subprocess, network requests viafetch, and local file writing for caching captions and audio. - Sanitization: Standard React/Remotion component safety is assumed, though the provided snippets do not show explicit sanitization of remote JSON fields before interpolation.
Audit Metadata