repomix-unmixer
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [Indirect Prompt Injection] (HIGH): The skill is designed to process untrusted external content (repomix-packed files) and convert it into local files and directories. This is a classic surface for Path Traversal attacks.
- Ingestion points: The
unmix_repomix.pyscript parses paths and content from user-provided files (XML<file path="...">, Markdown## File: ..., or JSON"path": "..."). - Boundary markers: The skill uses regex and standard format parsers to identify file boundaries, which can be bypassed or manipulated by malformed input.
- Capability inventory: The skill explicitly uses
python3to execute a script that has the capability to create directories and write arbitrary file content to the filesystem. - Sanitization: There is no mention of path sanitization or validation in the documentation. Without strict checks (e.g., preventing
..or absolute paths), an attacker could overwrite~/.ssh/authorized_keys,.bashrc, or other critical files. - [Command Execution] (MEDIUM): The skill relies on executing a local Python script (
scripts/unmix_repomix.py) via the CLI. While intended for functionality, it serves as the execution engine for the risks identified in the file-writing process.
Recommendations
- AI detected serious security threats
Audit Metadata