repomix-explorer
Warn
Audited by Gen Agent Trust Hub on Feb 28, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTIONCREDENTIALS_UNSAFE
Full Analysis
- [COMMAND_EXECUTION]: The skill instructions direct the agent to construct shell commands using unvalidated user input, such as repository URLs or directory paths (e.g.,
npx repomix@latest --remote <repo>). This pattern creates a significant surface for command injection if the agent interpolates user strings directly into the shell. - [EXTERNAL_DOWNLOADS]: The skill fetches the
repomixpackage dynamically from the NPM registry usingnpxand downloads remote repository content from Git providers like GitHub for analysis. While targeting well-known services, this involves executing remote code and processing untrusted third-party data. - [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it ingests and processes arbitrary source code from remote or local repositories.
- Ingestion points: Content is read from repositories via
npx repomixand stored in temporary XML files (e.g.,/tmp/<repo-name>-analysis.xml). - Boundary markers: While XML formatting is used, there are no specific instructions for the agent to ignore or sanitize natural language instructions found within code comments or documentation in the analyzed files.
- Capability inventory: The agent has shell access (
npx,grep,rm) and the ability to read the file system, which could be exploited by injected instructions. - Sanitization: The skill relies on the third-party tool's default exclusion list; no additional sanitization of the analyzed content is performed to prevent the agent from obeying instructions embedded in the code.
- [CREDENTIALS_UNSAFE]: The skill explicitly encourages using
grepto search for sensitive patterns such as "password", "token", and "jwt". While intended for code review, this functionality can be used to locate and expose actual hardcoded credentials within the analyzed codebase to the agent's context.
Audit Metadata