remotion-best-practices-2

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). Yes — several rule files explicitly instruct fetching and ingesting arbitrary remote URLs (e.g., rules/calculate-metadata.md uses fetch(props.dataUrl) to transform props, rules/lottie.md fetches Lottie JSON from assets4.lottiefiles.com, and rules/import-srt-captions.md / rules/assets.md allow fetching remote subtitles/media), meaning untrusted third‑party content is read and can directly change props, durations, or rendering behavior.