skills/skill-zero/s/remotion-render/Gen Agent Trust Hub

remotion-render

Fail

Audited by Gen Agent Trust Hub on Feb 25, 2026

Risk Level: HIGHREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
  • [REMOTE_CODE_EXECUTION]: The Quick Start instructions include the command curl -fsSL https://cli.inference.sh | sh. This pattern downloads a shell script from a remote URL and executes it directly, allowing for arbitrary code execution on the host system without prior user review.
  • [COMMAND_EXECUTION]: The skill relies on the infsh CLI tool to perform its operations, which is granted execution permissions via the allowed-tools: Bash(infsh *) configuration.
  • [EXTERNAL_DOWNLOADS]: During the installation phase, the skill fetches binary executables from dist.inference.sh. While the documentation claims SHA-256 verification is performed, the integrity depends entirely on the remote script being executed.
  • [PROMPT_INJECTION]: The skill is designed to accept and process React/TSX code via the code parameter. This input is intended for rendering but constitutes a surface for indirect injection if the code is derived from untrusted third-party data without sanitization.
Recommendations
  • HIGH: Downloads and executes remote code from: https://cli.inference.sh - DO NOT USE without thorough review
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
Feb 25, 2026, 09:58 PM
Security Audit — agent-trust-hub — remotion-render