Back to skill

Security audit

Remotion Video Toolkit

Security checks across malware telemetry and agentic risk

Overview

This is a coherent Remotion documentation skill, with expected examples for video rendering, cloud deployment, remote media, and caption tooling, but users should review privacy and production-hardening needs before copying the examples.

Safe to install as a Remotion learning toolkit. Before using its examples in production, add authentication and rate limits to render APIs, validate composition IDs and props, avoid secrets in inputProps, and treat cloud rendering, remote media URLs, and cloud transcription as third-party data sharing.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (5)

Missing User Warnings

Medium
Confidence
85% confidence
Finding
The skill explicitly recommends caption transcription via Whisper, Deepgram, or AssemblyAI but does not warn that audio content may be transmitted to third-party providers for processing. In a video-generation toolkit, users may pass sensitive recordings containing personal, confidential, or regulated data, so omitting this disclosure can lead to unintended data exposure and compliance issues.

Missing User Warnings

Low
Confidence
88% confidence
Finding
The document recommends loading remote images directly via URL but does not warn that this causes outbound network requests during preview/render and may expose IP address, access patterns, or internal rendering environment metadata to third parties. In a video-generation toolkit, users may copy this pattern into automated pipelines, making silent network access more likely and increasing privacy and supply-chain risk.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The cloud rendering examples show Lambda and Cloud Run usage without warning that inputProps, media references, and rendered outputs may be transmitted to third-party cloud infrastructure and stored in provider-managed services such as S3 or GCS. In a video-generation toolkit, users may pass sensitive text, images, or URLs into renders; omitting this disclosure can lead to accidental data exposure or compliance/privacy violations when developers copy the pattern into production.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The Express example exposes a /render endpoint that accepts arbitrary compositionId and props from the request body and immediately renders and returns generated media, without any warning about authentication, authorization, rate limiting, input validation, or abuse risk. In this skill's context, rendering is CPU/memory intensive and may fetch remote assets indirectly through props, so an untrusted caller could trigger denial of service, excessive cloud spend, or unsafe processing of untrusted content.

Missing User Warnings

Low
Confidence
88% confidence
Finding
The documentation explicitly encourages use of remote video URLs but does not mention that rendering or previewing such media causes outbound network requests to third-party hosts. In a video-generation pipeline, this can leak IP address, timing, environment metadata, and potentially process untrusted remote content, which is a real but low-severity security concern.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.