remotion-best-practices
Pass
Audited by Gen Agent Trust Hub on Mar 30, 2026
Risk Level: SAFE
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill provides instructions for installing official Remotion ecosystem packages (such as @remotion/media, @remotion/three, and @remotion/captions) and well-known industry libraries (such as Three.js, Mapbox GL JS, and Zod). These dependencies are standard for the intended use cases and originate from trusted or established registries. It also references official media assets from remotion.media and well-known third-party services like LottieFiles.
- [DATA_EXFILTRATION]: Instructions for managing sensitive API keys for external services (Mapbox, ElevenLabs) recommend using environment variables and .env files. This aligns with industry-standard security practices for credential management and prevents accidental exposure of secrets in source code.
- [COMMAND_EXECUTION]: The documentation includes standard development commands for package installation and utilizing video processing CLI tools (e.g., bunx remotion ffmpeg). These commands are necessary for the development workflow and are restricted to common, non-malicious use cases within the framework's scope.
- [PROMPT_INJECTION]: The skill describes patterns for fetching dynamic data (e.g., in calculate-metadata.md and compositions.md) which serves as an indirect prompt injection surface.
- Ingestion points: rules/calculate-metadata.md and rules/compositions.md (fetch calls retrieve props and metadata from remote URLs).
- Boundary markers: The examples do not explicitly demonstrate the use of XML-style tags or delimiters for the ingested data.
- Capability inventory: Data ingestion is linked to framework capabilities such as fetch, getVideoDuration, and getVideoDimensions.
- Sanitization: Standard framework examples are provided without specific sanitization logic, though the intended use is for structured metadata rather than direct prompt generation.
Audit Metadata