ClawHub

Remotion Best Practice

Security checks across malware telemetry and agentic risk

Overview

This Remotion guidance skill is coherent and not malicious, but users should be mindful of its remote media and TTS API-key examples.

Safe to install as a Remotion best-practices reference. Before using its examples, review any remote URLs, only use licensed media, keep API keys in environment variables or a secret manager, and avoid putting sensitive generated audio or captions in public/static folders.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (5)

Missing User Warnings

Medium
Confidence
83% confidence
Finding
The skill explicitly recommends loading remote assets by URL and later shows fetching metadata from an external API, but it provides no warning about network access, privacy, or untrusted content. In agent-driven environments, this can cause unintended outbound requests, leak identifiers or usage context, and pull in attacker-controlled media or metadata during rendering workflows.

Missing User Warnings

Low
Confidence
84% confidence
Finding
The documentation explicitly encourages use of remote audio URLs without warning that doing so triggers external network requests and may expose IP address, request metadata, or create dependency on third-party hosted content. In a media-rendering workflow this is not inherently malicious, but it can lead users to unintentionally fetch untrusted or privacy-sensitive remote assets during development or rendering.

Missing User Warnings

Low
Confidence
85% confidence
Finding
The skill explicitly recommends sourcing additional sound effects from the internet and links to a third-party repository without warning about license terms, provenance, privacy implications, or the risks of embedding untrusted remote media. In this context, users may import assets they do not have rights to use or depend on external content that could change, disappear, or introduce undesirable tracking and supply-chain exposure.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The guide tells users to provide an ElevenLabs API key and send content to a third-party TTS provider, but it does not warn about credential handling, billing risk, or that user text will leave the local environment. In a documentation skill, this omission can lead to accidental exposure of secrets or unintended transmission of sensitive content to an external service.

Missing User Warnings

Low
Confidence
81% confidence
Finding
The example writes generated MP3s into the public/ directory, which in common web app layouts makes those files publicly accessible as static assets. Without warning, users may unintentionally publish generated voiceovers containing proprietary or sensitive narration.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal