Remotion Best Practices

Security checks across malware telemetry and agentic risk

Overview

This is a Remotion documentation skill with examples and no confirmed hidden, destructive, credential-seeking, or persistent behavior.

Install only if you want Remotion-specific coding guidance. Review generated code before running package-add commands, and prefer trusted or local media assets when privacy, reproducibility, or network access matters.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 90% confidence
Finding: The activation guidance is overly broad: 'Use this skills whenever you are dealing with Remotion code' can cause the agent to invoke the skill for nearly any Remotion-related task, even when only a small subset of the guidance is relevant. Over-broad invocation increases the chance of unnecessary context injection, reduced precision, and accidental application of generic advice in inappropriate situations.

Missing User Warnings

Low

Confidence: 84% confidence
Finding: The guidance explicitly recommends loading remote images by URL but does not mention that doing so triggers external network requests during rendering and may expose IP address, request metadata, or create tracking/dependency risks. In a documentation skill, this is not overtly malicious, but it can lead users to unknowingly include privacy-sensitive external fetches or suffer reliability issues if third-party assets change or become unavailable.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal