repomix

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill's "Remote Repository Support" and examples (e.g., "npx repomix --remote https://github.com/owner/repo" and "Process remote repositories without cloning") show it fetches and ingests arbitrary public GitHub repositories (untrusted, user-generated content) and packages them for consumption by LLMs, so that third-party files could influence downstream tool use or model behavior.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill explicitly supports fetching remote repositories at runtime (e.g., npx repomix --remote https://github.com/owner/repo or https://github.com/owner/repo/commit/hash), which will download repository content that can be packaged and injected into LLM context (and npx itself fetches and executes package code), so the GitHub URL https://github.com/owner/repo is a runtime external dependency that can directly control prompts/execute code.