repomix

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 0.90). The skill explicitly instructs the agent to read and package repository files (breaking work into tasks for each file) and to deliver a single packaged output — which will verbatim include any secrets present in those files (and even allows disabling security checks), creating an exfiltration risk.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). This skill explicitly fetches and packages remote public repositories (see "Remote Repository Support" in SKILL.md and scripts/repomix_batch.py which runs npx repomix --remote on owner/repo or GitHub URLs), so it ingests untrusted, user-generated code from open sources for AI analysis and those contents could contain embedded instructions that alter downstream LLM/tool behavior.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill invokes commands like "npx repomix --remote https://github.com/owner/repo" at runtime (and recommends/npm-installs the repomix package), which will fetch and execute remote npm package code and also retrieve GitHub repository contents that are then packaged and fed into LLM prompts—i.e., remote code execution and external content directly controlling model context.