remotion-best-practices
Pass
Audited by Gen Agent Trust Hub on Feb 19, 2026
Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION] (SAFE): The skill provides instructions for installing dependencies using npx, bunx, yarn, and pnpm. These are standard development commands for the Remotion ecosystem.
- [EXTERNAL_DOWNLOADS] (SAFE): Referenced external packages (e.g., @remotion/media, @remotion/three, @remotion/captions) and media assets (remotion.media) are from legitimate sources within the library's ecosystem.
- [PROMPT_INJECTION] (LOW): File rules/tailwind.md contains an instruction for the agent to use WebFetch to retrieve further setup instructions from an external URL.
- [DATA_EXFILTRATION] (LOW): Code snippets demonstrate fetching data from remote URLs (e.g., rules/calculate-metadata.md). This is a standard pattern for dynamic video content but represents a surface for Indirect Prompt Injection (Category 8) if the data source is untrusted.
- [Category 8 Evidence Chain]: 1. Ingestion points: rules/calculate-metadata.md (props.dataUrl), rules/lottie.md (lottiefiles.com), rules/import-srt-captions.md (static/remote .srt). 2. Boundary markers: Absent in examples. 3. Capability inventory: fetch(), JSON.parse(), @remotion/captions parsing. 4. Sanitization: Not explicitly demonstrated in code snippets.
Audit Metadata