Skills
skills/sumik5/sumik-claude-plugin/remotion-best-practices/Gen Agent Trust Hub

remotion-best-practices

Warn

Audited by Gen Agent Trust Hub on Mar 6, 2026

Risk Level: MEDIUMCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The skill provides patterns for executing external processes and scripts.
  • rules/transcribe-captions.md: Recommends using child_process.execSync to invoke ffmpeg for audio conversion.
  • rules/voiceover.md: Instructs the agent/user to execute a custom Node.js script using node --env-file=.env to generate voiceovers.
  • [EXTERNAL_DOWNLOADS]: The skill frequently instructs the agent to install external dependencies and assets.
  • Multiple files (rules/3d.md, rules/audio.md, rules/fonts.md, etc.) provide commands to install various @remotion/* packages, zod@3.22.3, mapbox-gl, and @turf/turf from the NPM registry.
  • rules/lottie.md: Fetches Lottie animation JSON files from assets4.lottiefiles.com.
  • rules/tailwind.md: Directs the agent to fetch documentation from www.remotion.dev.
  • [PROMPT_INJECTION]: The skill exhibits an indirect prompt injection surface by ingesting untrusted data.
  • Ingestion points: calculateMetadata functions in rules/calculate-metadata.md and rules/compositions.md fetch JSON data from external URLs provided via component props.
  • Boundary markers: None identified. There are no delimiters or instructions to ignore embedded commands in the fetched data.
  • Capability inventory: The skill uses the fetch API to retrieve remote data and calculateMetadata to influence the rendering pipeline.
  • Sanitization: None identified. Fetched data is spread directly into the component's props object without validation or filtering.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Mar 6, 2026, 02:12 PM