Security Audit

remotion-video

github.com/openclaw/skills

AI SkillCommit 13146e6a3d46

TRUSTED

Scanned 2 months ago

Critical

Immediate action required

High

Priority fixes suggested

Medium

Best practices review

Low

Acknowledged / Tracked

Trust Assessment

remotion-video received a trust score of 79/100, placing it in the Mostly Trusted category. This skill has passed most security checks with only minor considerations noted.

SkillShield's automated analysis identified 2 findings: 0 critical, 1 high, 1 medium, and 0 low severity. Key findings include Sensitive environment variable access: $HOME, Potential Command Injection via CompositionId.

The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.

Last analyzed on February 14, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.

Layer Breakdown

Manifest Analysis

100%

Static Code Analysis

93%

Dependency Graph

100%

LLM Behavioral Safety

85%

Behavioral Risk Signals

Shell Execution

2 findings

Dynamic Code

1 finding

Excessive Permissions

1 finding

Security Findings2

Severity	Finding	Layer	Location
HIGH	Potential Command Injection via CompositionId The skill provides a shell command template for rendering Remotion videos: `npx remotion render <CompositionId> out/video.mp4`. The `<CompositionId>` is a placeholder intended to be replaced by a user-defined value. If an LLM constructs this command using unsanitized user input for `CompositionId`, a malicious user could inject arbitrary shell commands (e.g., `MyVideo; rm -rf /`) leading to command execution on the host system. When constructing the `npx remotion render` command, ensure that the `<CompositionId>` parameter is strictly validated and sanitized to prevent shell metacharacters from being interpreted as commands. Consider using a whitelist of allowed characters or escaping all potentially dangerous characters before passing the value to the shell.	LLM	SKILL.md:20
MEDIUM	Sensitive environment variable access: $HOME Access to sensitive environment variable '$HOME' detected in shell context. Verify this environment variable access is necessary and the value is not exfiltrated.	Static	skills/kjaylee/remotion-video/SKILL.md:8

Scan History

Embed Code

[![SkillShield](https://skillshield.io/api/v1/badge/ed2402fdefdba7be.svg)](https://skillshield.io/report/ed2402fdefdba7be)