remotion-best-practices
Pass
Audited by Gen Agent Trust Hub on Jun 23, 2026
Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The file
rules/transcribe-captions.mdprovides an example of usingexecSyncfrom thechild_processmodule to runffmpegfor audio conversion. This is a common requirement for the Whisper transcription workflow to ensure audio is in the correct format. - [EXTERNAL_DOWNLOADS]: Several rule files recommend installing dependencies via standard package managers. These include official
@remotion/*packages and widely-used libraries such aszod,mapbox-gl, and@turf/turf. - [REMOTE_CODE_EXECUTION]: The file
rules/transcribe-captions.mddemonstrates the use of the@remotion/install-whisper-cpppackage to download and install the Whisper.cpp engine. This is a standard procedure for enabling local speech-to-text capabilities. - [DATA_EXFILTRATION]: Files like
rules/calculate-metadata.md,rules/compositions.md, andrules/lottie.mdinclude code snippets demonstrating the use of thefetchAPI to retrieve dynamic video props, metadata, or animation data from remote URLs. - [PROMPT_INJECTION]: An indirect prompt injection surface exists in
rules/calculate-metadata.mdandrules/display-captions.mdthrough the ingestion of external data. - Ingestion points:
rules/calculate-metadata.md(props.dataUrl),rules/display-captions.md(captions JSON),rules/import-srt-captions.md(SRT text). - Boundary markers: Not present in the provided code examples.
- Capability inventory: Includes
fetch(network access),execSync(system command execution for ffmpeg), andfs.writeFileSync(file system access). - Sanitization: No specific sanitization or validation logic is shown for external data sources.
Audit Metadata