Remotion
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: remotion Version: 1.0.1 The skill bundle contains documentation and example React/Remotion components for video creation. It includes standard package installation commands (e.g., `npx remotion add @remotion/three`) and examples of fetching remote resources from legitimate domains (e.g., `lottiefiles.com`, `remotion.media`) or user-provided URLs. There is no evidence of malicious intent, data exfiltration, unauthorized execution, persistence, obfuscation, or prompt injection against the agent beyond its stated purpose of providing Remotion best practices.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the user runs these examples, their project dependencies may change and package-manager code may be installed or executed.
The documentation recommends user-run package-manager commands to add Remotion dependencies. This is expected for a Remotion guide, but it can install third-party packages and modify project dependency files.
npx remotion add @remotion/three # If project uses npm
Run these commands only in the intended project, verify package names, and review package.json and lockfile changes afterward.
Copied code could make network requests during rendering and may depend on remote data controlled by the provided URL.
The guide includes an example where generated Remotion code fetches a URL supplied through props. External data fetching is purpose-aligned, but users should avoid copying it with untrusted or overly broad URL inputs.
const response = await fetch(props.dataUrl, {signal: abortSignal});Use trusted, validated URLs and avoid passing secrets or sensitive data through render props or URLs.