Is remotion-video-toolkit safe?
https://clawhub.ai/shreefentsar/remotion-video-toolkit
This is a legitimate Remotion video framework documentation skill containing 29 rule files covering animations, media, captions, rendering, and deployment. No prompt injection, data exfiltration, or malicious behavior detected. The only notable risks are the breadth of shell commands for package installation/rendering and server deployment patterns, which are consistent with the skill's stated purpose.
Category Scores
Findings (6)
LOW Shell commands in rule files -10 ▶
Multiple rule files instruct the agent to run npx/npm commands to install Remotion packages and render videos. These are legitimate Remotion CLI operations but grant code execution scope.
LOW Server and cloud deployment patterns -12 ▶
The rendering rule covers Express server setup and AWS Lambda/Cloud Run deployment. If an agent follows these instructions, it could spin up server processes or deploy to cloud services.
INFO Large context surface area -5 ▶
29 rule files with detailed code examples significantly expand the agent's context. While not malicious, this increases the risk of instruction confusion when combined with other skills.
INFO External URL references in examples -10 ▶
Code examples reference remotion.media URLs as sample media sources. These are documentation examples and not agent-actionable fetch directives, but they normalize external URL usage in the agent's context.
INFO Platform runtime file access during init -10 ▶
The OpenClaw agent platform accessed .env, .aws/credentials, and config files during initialization. This is platform behavior, not skill-triggered, but is noted for completeness.
INFO No exfiltration vectors detected -5 ▶
The skill contains no patterns for reading sensitive files, encoding data, or sending information to external endpoints.