remotion-best-practices
Pass
Audited by Gen Agent Trust Hub on May 7, 2026
Risk Level: SAFE
Full Analysis
- [COMMAND_EXECUTION]: The skill provides numerous commands using package managers ("npm", "yarn", "pnpm", "bun") and "npx" to install Remotion-specific packages and run Remotion CLI tools (e.g., "npx remotion studio", "npx remotion render"). These are standard operations for setting up and using a Remotion project.
- [EXTERNAL_DOWNLOADS]: The skill references several external resources, all of which are well-known services or vendor-controlled domains:
- Fetches audio and video assets from "remotion.media" (vendor domain).
- Integrates with "api.elevenlabs.io" for AI voiceover generation.
- Loads Lottie animations from "assets4.lottiefiles.com" (LottieFiles).
- Uses Mapbox APIs via "mapbox-gl" for map animations.
- Downloads Whisper.cpp models using the "@remotion/install-whisper-cpp" package, which is a common utility in the Remotion ecosystem for generating captions.
- [INDIRECT_PROMPT_INJECTION]: The skill describes patterns for ingesting data from external APIs (e.g., in "calculateMetadata" and "voiceover.md"). While this technically creates a surface for indirect prompt injection if the external data is malicious, the skill demonstrates best practices such as using Zod for schema validation ("parameters.md") to sanitize inputs.
Audit Metadata