When to use

Name: skills/remotion-best-practices
Author: remotion-dev

View on GitHub↗

Share on X Share on LinkedIn Share on Bluesky

40Medium

The skill risks command injection and arbitrary file system access due to unsanitized FFmpeg inputs.

ThreatsCI SM CS BC S HITL

Behavior Analysis

Description verified — behavior matches claim

Claims to do

When to use: Use this skills whenever you are dealing with Remotion code to obtain the domain-specific knowledge.

Actually does

This skill provides `npx` commands to scaffold a Remotion project (`create-video@latest`), start a preview studio (`remotion studio`), and render a single frame (`remotion still`). It also acts as an index, directing users to various local Markdown files (e.g., `./rules/ffmpeg.md`, `./rules/subtitles.md`) for detailed information on specific Remotion features and integrations with tools like FFmpeg, Mediabunny, and ElevenLabs TTS.

Threat Analysis

AI Agent Traps ↗Scanned 4/27/2026

Content InjectionPerceptionclean

Semantic ManipulationReasoningclean

Cognitive StateMemory & Learningclean

Behavioural ControlAction1 finding

SystemicMulti-Agent Dynamicsclean

Human-in-the-LoopHuman Overseerclean

Skill Info

Nameremotion-dev/skills/remotion-best-practices

Registrygithub

Version41a3b0685bc6

PURLpkg:github/remotion-dev/skills@41a3b0685bc6?skill=remotion-best-practices

Stars3,041

Installs289,500

Source

Repository ↗SKILL.md ↗

SHA-2562e8d90b1490e...

SHA-1bdbac9f2ffea...

MD598083676c4d3...

TLSHd6b11053e081...

ssdeep96:bEzom8xrk...

Size5,235 bytes

Install

This skill has been flagged as potentially malicious. Review the findings below before installing.

GitHub

https://github.com/remotion-dev/skills

289,500 installs

Skills.shDocs

npx skills add https://github.com/remotion-dev/skills

Assessments (1)

AI Agent Traps ↗

Potential for FFmpeg Command Injectionmediumcommand execution

The skill explicitly mentions and encourages the use of FFmpeg, a powerful command-line tool. If the agent's inputs to FFmpeg commands are not properly sanitized, this could lead to command injection or arbitrary file system access.

80% confidenceline 47

For some video operations, such as trimming videos or detecting silence, FFmpeg should be used. Load the [./rules/ffmpeg.md] file for more information.

Badge

Markdown

[![Mondoo Skill Check](https://mondoo.com/ai-agent-security/api/badge/github/remotion-dev/skills/remotion-best-practices.svg)](https://mondoo.com/ai-agent-security/skills/github/remotion-dev/skills/remotion-best-practices)

HTML

<a href="https://mondoo.com/ai-agent-security/skills/github/remotion-dev/skills/remotion-best-practices"><img src="https://mondoo.com/ai-agent-security/api/badge/github/remotion-dev/skills/remotion-best-practices.svg" alt="Mondoo Skill Check" /></a>

Image URL

https://mondoo.com/ai-agent-security/api/badge/github/remotion-dev/skills/remotion-best-practices.svg

Secure your AI agents

Skills can read files, run commands, and access credentials. Mondoo helps organizations manage the security risks of AI agent skills across their entire fleet.

Continuous scanning of skills across all registries
Policy enforcement before skills reach your agents
Integration with your existing security workflow