remotion-video-production
Fail
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: HIGHCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION] (HIGH): The skill generates React/TypeScript source code (src/Video.tsx) based on user-provided instructions and subsequently executes it using 'npx remotion'. This pattern of dynamic code generation and execution is a major security concern as it can be used to execute arbitrary system commands if the input is not strictly validated.
- [REMOTE_CODE_EXECUTION] (MEDIUM): The workflow utilizes 'npx', which downloads and executes packages from the npm registry at runtime. While the intended package is 'remotion', the use of npx introduces a risk of dependency confusion or the execution of untrusted code if the environment is compromised.
- [PROMPT_INJECTION] (LOW): The skill is susceptible to indirect prompt injection. Because it ingests untrusted user data to define the 'Video Spec' and 'Scene Plan', a carefully crafted prompt could attempt to inject malicious code into the 'src/Video.tsx' file generated in later steps.
- [EXTERNAL_DOWNLOADS] (MEDIUM): The skill expects to download or install Node.js packages at runtime to perform rendering. Without pinned versions or integrity checks (hashes), there is a risk of downloading malicious versions of dependencies.
Recommendations
- AI detected serious security threats
Audit Metadata