ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Repomix Explorer

v0.1.0

Use this skill when the user wants to analyze or explore a codebase (remote repository or local repository) using Repomix. Triggers on: 'analyze this repo',...

0· 368·0 current·0 all-time
by@kongyo2
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
Name/description match the instructions: the skill tells the agent to run the Repomix CLI (via npx) to pack and analyze repositories, and to read the produced output for analysis. There are no unrelated credentials, binaries, or config paths requested.
Instruction Scope
The SKILL.md explicitly instructs the agent to run shell commands (npx repomix@latest) and to read generated output files (usually in /tmp or ./repomix-output.xml). This stays within the stated purpose (analyzing remote or local repos). However, allowing shell execution and arbitrary file reads means the agent will access repository contents and any generated output; ensure the user expects the agent to read the repo and any sensitive files it may contain.
Install Mechanism
This is an instruction-only skill with no install spec, but the runtime commands use `npx repomix@latest`, which downloads and executes code from the npm registry. Using npx/@latest is convenient but can execute arbitrary code from a third-party package at runtime — a normal supply-chain risk for CLI tools. No archive downloads from untrusted URLs are present.
Credentials
No environment variables, credentials, or config paths are requested. The required surface is proportional to the stated purpose (analyzing repositories).
Persistence & Privilege
The skill does not request persistent/always presence; default autonomy is allowed (platform default). It does not propose modifying other skills or system-wide settings. Output files are written to /tmp or local working directory per the instructions.
Assessment
This skill appears to do what it says: run Repomix to pack a repo and analyze the output. Before installing/using it, consider: (1) npx repomix@latest will fetch and execute code from the npm registry — if you want stronger guarantees, pin a specific repomix version (e.g., repomix@1.2.3) or install/inspect the CLI yourself; (2) the agent will read repository files and any generated output in /tmp or the working directory — do not run it on repositories containing secrets you don't want to expose; (3) run the skill in a sandbox/container if you are worried about executing third-party code; (4) verify the repomix package source (npm package page, GitHub repo, checksum) if you need higher assurance. If you control the environment, manually installing and vetting repomix before allowing the agent to run it reduces risk.

Like a lobster shell, security has layers — review code before you run it.

latestvk972s85yebbmkjqe3yjw0vdrn1822zky

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments