repomix

[Skill Scanner] Installation of third-party script detected All findings: [CRITICAL] command_injection: Installation of third-party script detected (SC006) [AITech 9.1.4] [CRITICAL] command_injection: Installation of third-party script detected (SC006) [AITech 9.1.4] [CRITICAL] command_injection: Instruction to copy/paste content into terminal detected (CI012) [AITech 9.1.4] [HIGH] data_exfiltration: Credential file access detected (DE002) [AITech 8.2.3] BENIGN: The Repomix skill/documentation describes a coherent, legitimate utility for packaging codebases for AI analysis and security audits, with standard install sources, appropriate data access controls, and transparent data flows. No malicious or credential-harvesting patterns are evident in the provided material. Potential risk remains around exposing repository contents to LLMs, mitigated by explicit user review and security options. LLM verification: This SKILL.md describes a legitimate-sounding repository packaging tool whose documented capabilities align with its purpose. I found no code-level malware or obfuscation in the provided documentation. The primary security concerns are operational and architectural: the remote-processing feature is underspecified (could involve a third-party server), users can disable security checks and .gitignore enforcement which could lead to accidental inclusion of secrets, and installation via npm/Homebrew