video-report

Name: remotion/video-report
Author: remotion-dev

Share on X Share on LinkedIn Share on Bluesky

70High

The skill facilitates remote code execution by allowing arbitrary file modification, executing unpinned packages, and downloading untrusted external content for build processes without sufficient security validation.

ThreatsCI SM CS BC S HITL

Threat Analysis

AI Agent Traps ↗Scanned 6/20/2026

Content InjectionPerceptionclean

Semantic ManipulationReasoning1 finding

Cognitive StateMemory & Learningclean

Behavioural ControlAction2 findings

SystemicMulti-Agent Dynamicsclean

Human-in-the-LoopHuman Overseerclean

Skill Info

Nameremotion-dev/remotion/video-report

Registrygithub

Versionb6365a226e98

PURLpkg:github/remotion-dev/remotion@b6365a226e98?skill=video-report

Stars50,645

Installs1,400

Source

Repository ↗SKILL.md ↗

Install

This skill has been flagged as potentially malicious. Review the findings below before installing.

GitHub

1,400 installs

Skills.shDocs

npx skills add https://github.com/remotion-dev/remotion

Assessments (3)

AI Agent Traps ↗

Arbitrary file write and execution riskhighcommand executionAML.T0050AML.T0053AML.T0072LLM05:2025LLM06:2025

The instructions direct the agent to download external content and inject it directly into a source file, followed by executing a build command, creating a high risk of remote code execution if the URL is attacker-controlled.

80% confidence

download the URL and put it as the src in packages/example/src/NewVideo.tsx

Unpinned dependency executionmediumsupply chainAML.T0010AML.T0019AML.T0058LLM03:2025

The skill uses 'bunx' to execute a package without version pinning, which allows for the execution of arbitrary, potentially malicious code that could change between runs.

90% confidenceline 8

bunx remotion render NewVideo --log=verbose

Description Mismatchhighdescription mismatchAML.T0011.000LLM06:2025LLM09:2025

The skill performs arbitrary file modification and command execution based on untrusted user input, creating a significant remote code execution (RCE) risk.

85% confidence

The skill writes user-provided URLs directly into source code and executes `bunx` commands, which could be exploited via command injection if the URL is not sanitized.

Missing usage exampleslowpolicy violation

Skill body contains no code blocks or usage examples, making it harder for users to evaluate.

100% confidence

Missing licenseinfopolicy violation

Skill does not specify a license field. Specifying a license helps users understand usage terms.

100% confidence

Badge

Markdown

[![Mondoo Skill Check](https://mondoo.com/ai-agent-security/api/badge/github/remotion-dev/remotion/video-report.svg)](https://mondoo.com/ai-agent-security/skills/github/remotion-dev/remotion/video-report)

HTML

<a href="https://mondoo.com/ai-agent-security/skills/github/remotion-dev/remotion/video-report"><img src="https://mondoo.com/ai-agent-security/api/badge/github/remotion-dev/remotion/video-report.svg" alt="Mondoo Skill Check" /></a>

Image URL

https://mondoo.com/ai-agent-security/api/badge/github/remotion-dev/remotion/video-report.svg

Secure your AI agents

Skills can read files, run commands, and access credentials. Mondoo helps organizations manage the security risks of AI agent skills across their entire fleet.

Continuous scanning of skills across all registries
Policy enforcement before skills reach your agents
Integration with your existing security workflow