Remotion Video Generator
SuspiciousAudited by ClawScan on May 10, 2026.
Overview
The skill mostly matches its video-generation purpose, but its scraping helper can execute injected Python from a crafted URL and its default workflow exposes a local preview server publicly without explicit approval.
Install only if you are comfortable running npm/pip-based project tooling. Use trusted brand URLs, do not source or eval scraper output, run the skill in a sandboxed project directory, and require explicit approval before starting any public Cloudflare tunnel or background preview server.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A malicious or malformed brand URL could cause code to run on the user's machine when the agent runs the scraper.
The shell script interpolates the user-provided URL directly into Python source code passed to `python3 -c`. A crafted URL containing a quote and Python statements could break out of the string and run local Python code.
URL="${1:-https://example.com}" ... python3 -c " ... url = '$URL'Pass the URL as an argument to Python, such as `python3 - "$URL"` and read it with `sys.argv[1]`, or safely serialize it with JSON quoting. Avoid constructing executable code with raw user input.
Anyone who obtains the public tunnel URL may be able to access the local video preview server while it is running.
The default instructions expose a local Remotion Studio server through a public Cloudflare tunnel as a normal workflow step, without documenting authentication, audience limits, or explicit user approval before public exposure.
Default Workflow (ALWAYS follow this) ... Start Remotion Studio as a background process ... Expose via Cloudflare tunnel so user can access ... Send the user the public URL
Ask the user before creating any public tunnel, explain what will be exposed, use authentication or local-only preview when possible, and provide clear stop/cleanup instructions.
The project setup depends on whatever versions npm serves at install time, which can change over time or inherit supply-chain issues.
The helper downloads and runs the latest npm template and then installs dependencies. This is purpose-aligned for creating a Remotion project, but it relies on remote packages without pinning in the helper.
npx --yes create-video@latest "$NAME" --template blank ... npm install
Pin package versions, commit a lockfile for generated projects when practical, and review dependencies before running generated code or installing globally.