yyl-remotion-video

CRITICAL E005: Suspicious download URL detected in skill instructions.

• Suspicious download URL detected (high risk: 0.70). Most URLs point to legitimate sites (remotion.dev, img.shields.io) and repository source files, but the GitHub repo (ttfake92-lab/skills) is an unknown account and the README suggests installing/running code via npx/GitHub which could fetch and execute arbitrary third‑party code, so it should be treated as potentially risky.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The README and install instructions tell operators to run remote-install commands (e.g., SKILL_BASE_URL=https://github.com/ttfake92-lab/skills/tree/main npx skill skills/yyl-remotion-video and npx skills@latest add ttfake92-lab/skills), which will fetch and execute remote code from that GitHub URL/npm packages at runtime, so this is a runtime external dependency that can execute code.