repomix
Pass
Audited by Gen Agent Trust Hub on Mar 14, 2026
Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill executes the
repomixandnpxCLI tools via the Pythonsubprocess.runfunction inscripts/repomix_batch.py. The command is built as a list of arguments, which effectively mitigates shell injection vulnerabilities. - [EXTERNAL_DOWNLOADS]: The skill uses
npxto download and run therepomixpackage and can fetch repository data from remote URLs (e.g., GitHub). These operations target well-known and reputable services. - [DATA_EXFILTRATION]: The skill reads local files to package them and specifically searches for
.envfiles in parent directories to load configuration variables. While this is a common pattern for skill configuration, it involves accessing potentially sensitive file paths. - [PROMPT_INJECTION]: The skill facilitates an indirect prompt injection surface because its primary purpose is to aggregate untrusted third-party code for AI consumption.
- Ingestion points: Local file system paths and remote repository URLs processed by
scripts/repomix_batch.py. - Boundary markers: The tool uses XML or Markdown tags to delimit files, although it does not inject explicit instructions for the AI to ignore instructions within the content.
- Capability inventory: All external interactions are handled through
subprocess.runcalls to therepomixutility. - Sanitization: The skill integrates Secretlint to detect and warn about hardcoded secrets, but it does not filter or sanitize the natural language content of the files.
Audit Metadata