repomix
Warn
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSDATA_EXFILTRATIONREMOTE_CODE_EXECUTIONCOMMAND_EXECUTION
Full Analysis
- EXTERNAL_DOWNLOADS (MEDIUM): The skill recommends installing the
repomixutility vianpm install -gorbrew install. The source repository (yamadashy/repomix) is not on the predefined trusted list, requiring users to trust the third-party maintainer's supply chain. - DATA_EXFILTRATION (MEDIUM): The core functionality involves aggregating codebase content into a single file for LLM context. This poses a data exposure risk where sensitive files (e.g.,
.env, credentials, or private keys) could be included in the output. While the tool includes a 'security check' via Secretlint, it also explicitly documentation how to bypass it using the--no-security-checkflag. - REMOTE_CODE_EXECUTION (LOW): The command
npx repomix --remoteallows the tool to fetch and process data from arbitrary remote repositories. While the tool packages the code rather than executing it, this ingestion of untrusted remote content into an agent's context is a known attack surface. - PROMPT_INJECTION (LOW): Classified as Category 8 (Indirect Prompt Injection). The skill ingests untrusted repository data which is then fed to an LLM.
- Ingestion points: Local file system and remote Git repositories.
- Boundary markers: The tool uses XML, Markdown, or JSON delimiters to separate files, which provides some structural separation but does not prevent semantic injection.
- Capability inventory: File system read access, network access (to fetch remote repos), and terminal command execution.
- Sanitization: The tool includes Secretlint for secret detection, but does not appear to sanitize the code content for malicious LLM instructions.
Audit Metadata