repomix-unmixer
Fail
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- Persistence Mechanisms (HIGH): The script
scripts/unmix_repomix.pyis vulnerable to Path Traversal. It takes file paths directly from the input archive and joins them with the output directory usingPath(output_dir) / file_pathwithout any validation. If the input path is absolute or contains traversal sequences like../, the script will write files outside the intended directory. - Evidence: Lines 23, 51, and 80 in
scripts/unmix_repomix.pyshow direct path concatenation of unsanitized input. - Risk: An attacker could craft a malicious XML, JSON, or Markdown archive that overwrites critical files like
~/.bashrcor~/.ssh/authorized_keysto gain persistent access to the system. - Indirect Prompt Injection (LOW): The skill possesses a data ingestion surface that is vulnerable to indirect prompt injection from malicious archives.
- Ingestion points: Untrusted Repomix files (XML/JSON/Markdown) processed by
scripts/unmix_repomix.py. - Boundary markers: Absent. The script does not use delimiters or provide instructions to the agent to ignore content-embedded commands.
- Capability inventory: The script performs file-write operations across the filesystem, and the agent is intended to interact with and potentially execute the extracted content.
- Sanitization: Absent. The script performs no validation or escaping of extracted content or paths.
Recommendations
- AI detected serious security threats
Audit Metadata