Summary
skills/remotion/rules/maps.md contains a hidden Unicode character at line 85, column 15 — a Word Joiner (U+2060). This is an invisible zero-width character that doesn't render visually but is present in the file content.
Exact location
The character sits inside a Mapbox GL style URL, right after the opening quote and before the m in mapbox:
style: "mapbox://styles/mapbox/standard",
Hex dump of line 85:
... 22 e2 81 a0 6d 61 70 ...
" [U+2060] m a p
22 = " (opening quote)e2 81 a0 = UTF-8 encoding of U+2060 (Word Joiner) ← the invisible character6d 61 70 = map
The actual string value is "\u2060mapbox://styles/mapbox/standard" instead of the intended "mapbox://styles/mapbox/standard". Likely introduced via copy-paste from a rich text editor. Beyond the security concern, if an AI agent uses this code example literally, the Mapbox style URL would contain a stray byte and the style lookup would fail.
Why it matters
Hidden Unicode characters in agent skill files can subtly alter how AI models parse and interpret instructions. Security-focused tooling flags these as potential risks — even when benign, they should be removed for supply chain hygiene.
This was detected by APM (Agent Package Manager) content security scanning, which automatically scans installed packages for hidden Unicode characters including zero-width joiners, bidi overrides, and variation selectors.
How to reproduce
# Install APM (https://github.com/microsoft/apm)
brew install microsoft/apm/apm
# In any project with the skill installed:
apm install remotion-dev/skills/skills/remotion
apm audit
Output:
┃ Severity ┃ File ┃ Location ┃ Codepoint ┃ Description ┃
│ WARNING │ .github/skills/remotion/rules/maps.md │ 85:15 │ U+2060 │ Word joiner │
How to fix
Option A — Use APM's built-in strip command to remove all hidden characters automatically:
Option B — Manually remove the character at line 85, column 15 in skills/remotion/rules/maps.md. In most editors you can find it by searching for the regex \u2060.
Summary
skills/remotion/rules/maps.mdcontains a hidden Unicode character at line 85, column 15 — a Word Joiner (U+2060). This is an invisible zero-width character that doesn't render visually but is present in the file content.Exact location
The character sits inside a Mapbox GL style URL, right after the opening quote and before the
minmapbox:Hex dump of line 85:
22="(opening quote)e2 81 a0= UTF-8 encoding ofU+2060(Word Joiner) ← the invisible character6d 61 70=mapThe actual string value is
"\u2060mapbox://styles/mapbox/standard"instead of the intended"mapbox://styles/mapbox/standard". Likely introduced via copy-paste from a rich text editor. Beyond the security concern, if an AI agent uses this code example literally, the Mapbox style URL would contain a stray byte and the style lookup would fail.Why it matters
Hidden Unicode characters in agent skill files can subtly alter how AI models parse and interpret instructions. Security-focused tooling flags these as potential risks — even when benign, they should be removed for supply chain hygiene.
This was detected by APM (Agent Package Manager) content security scanning, which automatically scans installed packages for hidden Unicode characters including zero-width joiners, bidi overrides, and variation selectors.
How to reproduce
Output:
How to fix
Option A — Use APM's built-in strip command to remove all hidden characters automatically:
Option B — Manually remove the character at line 85, column 15 in
skills/remotion/rules/maps.md. In most editors you can find it by searching for the regex\u2060.