remotion-best-practices

Pass

Audited by Gen Agent Trust Hub on Jun 23, 2026

Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The file rules/transcribe-captions.md provides an example of using execSync from the child_process module to run ffmpeg for audio conversion. This is a common requirement for the Whisper transcription workflow to ensure audio is in the correct format.
  • [EXTERNAL_DOWNLOADS]: Several rule files recommend installing dependencies via standard package managers. These include official @remotion/* packages and widely-used libraries such as zod, mapbox-gl, and @turf/turf.
  • [REMOTE_CODE_EXECUTION]: The file rules/transcribe-captions.md demonstrates the use of the @remotion/install-whisper-cpp package to download and install the Whisper.cpp engine. This is a standard procedure for enabling local speech-to-text capabilities.
  • [DATA_EXFILTRATION]: Files like rules/calculate-metadata.md, rules/compositions.md, and rules/lottie.md include code snippets demonstrating the use of the fetch API to retrieve dynamic video props, metadata, or animation data from remote URLs.
  • [PROMPT_INJECTION]: An indirect prompt injection surface exists in rules/calculate-metadata.md and rules/display-captions.md through the ingestion of external data.
  • Ingestion points: rules/calculate-metadata.md (props.dataUrl), rules/display-captions.md (captions JSON), rules/import-srt-captions.md (SRT text).
  • Boundary markers: Not present in the provided code examples.
  • Capability inventory: Includes fetch (network access), execSync (system command execution for ffmpeg), and fs.writeFileSync (file system access).
  • Sanitization: No specific sanitization or validation logic is shown for external data sources.
Audit Metadata
Risk Level
SAFE
Analyzed
Jun 23, 2026, 06:06 AM
Security Audit — agent-trust-hub — remotion-best-practices