Remotion Video Toolkit
Security checks across static analysis, malware telemetry, and agentic risk
Overview
The provided artifacts are a coherent Remotion documentation-and-examples skill with no evidence of hidden installation, persistence, credential theft, exfiltration, or destructive behavior.
This appears safe to install based on the provided artifacts. Before using it in a real project, review any npx/package commands, prefer pinned dependencies for production, use least-privilege cloud/API credentials, and avoid sending sensitive media to external transcription services unless that is acceptable.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
64/64 vendors flagged this skill as clean.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Running these commands can create or modify a local project and execute npm package code.
The skill documents package-manager and Remotion CLI commands that can download and execute project tooling. This is central to the Remotion purpose and is presented as user-directed setup, not automatic hidden installation.
npx create-video@latest my-video ... npx remotion render src/index.ts MyComposition out/video.mp4
Run the commands only in an intended project directory, use trusted package registries, and pin dependency versions for production workflows.
If used with broad cloud permissions, rendering/deployment workflows could affect cloud resources or billing.
The skill discloses optional cloud account use for serverless rendering. This is purpose-aligned, but cloud credentials can grant resource-creation authority and incur costs.
For serverless rendering: AWS account (Lambda) or GCP account (Cloud Run)
Use dedicated least-privilege cloud credentials or projects, review deployment commands and infrastructure settings, and monitor cost limits.
Sensitive audio or video content used for transcription may leave the local environment and be governed by the provider's privacy and retention policies.
The skill references external transcription providers for caption generation. This is expected for caption workflows, but audio/media may be sent to third-party services depending on implementation.
[Transcribe captions](rules/transcribe-captions.md) | Audio to captions via Whisper, Deepgram, or AssemblyAI
Use approved transcription providers, keep API keys out of source code, and avoid sending sensitive media unless the provider and retention settings are acceptable.