The Agent Skills Directory

[EXTERNAL_DOWNLOADS] (MEDIUM): The skill requires installing the 'repomix' CLI tool from a non-trusted source (yamadashy/repomix) via npm. It also facilitates downloading and processing code from arbitrary remote URLs using 'npx repomix --remote'.
[PROMPT_INJECTION] (HIGH): Significant Indirect Prompt Injection surface (Category 8). The skill's core purpose is to ingest large volumes of untrusted external code and present it as context to the agent, which can influence downstream decisions.
Ingestion points: Remote repository URLs via 'npx repomix --remote' and local paths via 'repomix_batch.py'.
Boundary markers: Uses XML, Markdown, and JSON separators, but these do not prevent adversarial content (e.g., instructions in comments) from overriding agent instructions.
Capability inventory: The skill executes CLI commands and writes to the file system. The agent using the output is often performing sensitive operations like 'Security Audit' or 'Bug Investigation'.
Sanitization: Documentation mentions Secretlint for credential detection, but no mechanism exists to sanitize malicious instructions embedded in code or comments.
[REMOTE_CODE_EXECUTION] (HIGH): The skill executes code downloaded from the internet via 'npx'. Processing third-party repositories via the '--remote' flag is a significant vector for ingesting malicious content that could exploit the packager parser or the agent processing the result.
[COMMAND_EXECUTION] (MEDIUM): The skill relies on subprocess calls to execute the 'repomix' CLI and other scripts, which could be vulnerable to command injection if input parameters like repository paths or URLs are not strictly validated.
[CREDENTIALS_UNSAFE] (MEDIUM): The 'repomix_batch.py' utility loads environment variables from multiple '.env' file locations. While documentation advises against packaging these files, the automated loading and processing of secret-heavy files increases the risk of accidental exposure during packaging.

repomix