Back to skill

Security audit

remotion-bozo

Security checks across malware telemetry and agentic risk

Overview

This is a Remotion documentation skill whose cloud-rendering guidance is disclosed and aligned with its video-generation purpose, but users should treat Lambda/Cloud Run steps as optional advanced workflows.

Install only if you want Remotion development guidance. Local rendering examples are low-risk for a development tool, but do not run Lambda or Cloud Run commands unless you intentionally want to create cloud resources, understand possible costs, and use least-privilege cloud credentials with non-sensitive test media first.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (4)

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The document expands from local Remotion rendering into AWS Lambda deployment and S3 output workflows, which materially increases the skill's operational scope from local project creation to remote cloud execution. In a skill marketed as a one-click Remotion project creation aid, introducing cloud deployment guidance can prompt users or agents to perform networked actions and manage cloud resources they did not intend to expose.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The file instructs users to set AWS credentials and use remote deployment features even though the stated skill purpose is Remotion project creation, not cloud infrastructure management. This mismatch raises the risk of unnecessary secret handling and accidental use of privileged cloud capabilities in contexts where users may expect only local scaffolding and rendering guidance.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The skill advertises Lambda cloud rendering support but does not warn users that project assets, source content, or rendered outputs may be processed by external infrastructure. In a video-generation context, users may render sensitive media or proprietary content, so omission of a clear privacy/data-transfer notice can lead to unintended external disclosure.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The markdown includes AWS credential export examples and destructive commands such as Lambda function removal without any warnings about secret exposure, IAM scoping, cost, or irreversible operational effects. In agent-assisted settings, this can normalize unsafe handling of credentials and encourage execution of destructive cloud actions without adequate review or confirmation.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.