Skills
skills/yangagent/remotion-video-skill/srt-remotion-video/Gen Agent Trust Hub

srt-remotion-video

Pass

Audited by Gen Agent Trust Hub on May 9, 2026

Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
  • [COMMAND_EXECUTION]: The skill uses spawnSync and shell commands in several scripts to automate the development environment.
  • scripts/ensure-template-deps.js executes npm install and npm --version to manage local project dependencies.
  • SKILL.md instructs the agent to run npx remotion render for video synthesis and npx remotion studio for previewing.
  • [EXTERNAL_DOWNLOADS]: The project downloads standard Node.js packages (e.g., remotion, react, lucide-react) from the official npm registry as part of the project initialization process.
  • [INDIRECT_PROMPT_INJECTION]: The skill processes user-provided SRT files, which are used as input for sub-agents to generate React code and storyboard plans. This creates a potential attack surface where malicious text in an SRT could attempt to influence the LLM's code generation logic.
  • Ingestion points: SRT files provided by the user via the srtPath parameter.
  • Boundary markers: The sub-agent prompts in SKILL.md use structural instructions but lack explicit delimiters or "ignore instructions" wrappers for the ingested text.
  • Capability inventory: The skill can execute shell commands, write files to the local system, and execute generated React code via the Remotion renderer.
  • Sanitization: The skill includes several validation scripts (validate-project.js, validate-scene-plan.js) that check for structural integrity and timing constraints, though they do not perform semantic sanitization of the subtitle content itself.
Audit Metadata
Risk Level
SAFE
Analyzed
May 9, 2026, 03:44 AM