Remotion Animator

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed Remotion video-project scaffold and render helper, with only minor guidance issues around optional proactive offers and recurring render jobs.

Install only if you want an agent to create local Remotion projects, run npm/Remotion commands, and write rendered video files in your workspace. Treat recurring renders as persistent automation: approve them only after confirming the exact schedule, output folder, retention/deletion policy, and removal method.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (2)

Intent-Code Divergence

Medium

Confidence: 95% confidence
Finding: The recurring automation section instructs users to set up cron jobs for video creation but omits the manifest-required confirmation details: schedule, output directory, file retention policy, and disable method. That can lead an agent to create unattended recurring jobs without sufficiently explicit user consent or operational safeguards, violating the stated permission boundary for recurring automation.

Vague Triggers

Medium

Confidence: 89% confidence
Finding: The generic fallback prompt, "Want me to animate this into a short video?", is broad enough to be suggested for many ambiguous inputs. In a skill with proactive behavior, this can expand triggering beyond the narrowly intended cases and cause unwanted scaffolding prompts, increasing the chance of unnecessary file creation or user confusion.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal