remotion-best-practices
Pass
Audited by Gen Agent Trust Hub on May 15, 2026
Risk Level: SAFE
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill guides the user to install various official Remotion packages and third-party libraries (e.g., mapbox-gl, zod) using standard package managers. It also includes instructions for downloading the Whisper.cpp binary from the ggml-org GitHub repository.
- [CREDENTIALS_UNSAFE]: The skill demonstrates safe credential management by instructing users to store sensitive API keys for ElevenLabs and Mapbox in .env files, avoiding hardcoding secrets in the source code.
- [COMMAND_EXECUTION]: The skill provides numerous CLI commands using npx, npm, yarn, pnpm, and bun for scaffolding projects, running the Remotion studio, and rendering videos. These are standard operations for the Remotion development workflow.
- [DATA_EXFILTRATION]: The skill involves network operations to fetch fonts from Google Fonts, assets from the Remotion media CDN, and to interact with the ElevenLabs TTS API. These operations target well-known and legitimate service providers.
- [PROMPT_INJECTION]: While the skill does not contain direct prompt injection, it defines data ingestion surfaces in rules/calculate-metadata.md and rules/lottie.md where external data is fetched and processed at runtime. This represents a potential indirect prompt injection surface common in data-driven applications.
- Ingestion points: rules/calculate-metadata.md (fetches from props.dataUrl), rules/lottie.md (fetches from external URL), rules/import-srt-captions.md (fetches SRT/JSON captions).
- Boundary markers: Not present.
- Capability inventory: The skill utilizes subprocess execution for rendering (npx remotion render) and file system writes for generating captions and voiceovers.
- Sanitization: Not explicitly implemented in the provided examples.
Audit Metadata