mcp-repomix
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [Indirect Prompt Injection] (HIGH): The skill is designed to ingest and process entire codebases, including those from remote GitHub repositories via the
pack_remote_repositorytool. This creates a significant attack surface where malicious instructions embedded in a codebase could subvert the agent's behavior. - Ingestion points: Untrusted data enters the agent context through the
pack_remote_repositoryandpack_codebasetools inSKILL.md. - Boundary markers: There is no evidence of boundary markers or instructions to the agent to disregard natural language commands found within the analyzed files.
- Capability inventory: While this skill primarily performs read/search operations, its stated purpose is to provide context for "large-scale refactoring" and "architectural changes," which involve high-privilege write operations by the agent.
- Sanitization: No sanitization or filtering of external content is mentioned.
- [External Downloads] (MEDIUM): The
pack_remote_repositorytool allows the agent to clone and process external GitHub repositories. While cloning itself is not execution, processing the content as high-trust context for refactoring introduces risk if the source is not a trusted external source.
Recommendations
- AI detected serious security threats
Audit Metadata