repomix

[Skill Scanner] Instruction to copy/paste content into terminal detected The repomix skill description is functionally coherent with its stated purpose (repository packaging for LLMs) and contains legitimate features (filters, output formats, token counting). There is no direct evidence of embedded malware or obfuscated payloads in this document. However, several supply-chain and data-exfiltration risks exist: vague remote-processing semantics (could proxy repos through third-party servers), an MCP Server mention without trust details, an option to disable security checks, and a clipboard copy feature that can leak sensitive data. These make the skill potentially dangerous if implemented or used improperly. Overall classification: suspicious/vulnerable due to risk of accidental or intentional exfiltration of sensitive data rather than confirmed malicious code. LLM verification: No clear malicious code or explicit exfiltration is present in the provided skill documentation. The functionality is consistent with a repository-packaging tool, but there are moderate supply-chain and data-leak risks: remote repo processing and the ability to disable security checks increase the chance that sensitive credentials or private keys will be packaged and leaked (especially via the clipboard or shared outputs). Recommend: treat as potentially sensitive, require default-on security ch