Reposit - Collective Intelligence for AI Agents
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing the skill means trusting the referenced MCP package to handle Reposit searches, authentication, sharing, and voting as described.
The skill delegates its runtime behavior to an external npm-distributed MCP server. The version is pinned and this is central to the stated purpose, but that external code was not included in the artifacts reviewed.
"command": "npx", "args": ["-y", "@reposit-bot/reposit-mcp@0.3.11"]
Review the referenced MCP package and its source before use in sensitive environments, and keep the package version pinned.
The agent may contact Reposit during problem solving and may vote on content automatically; if auto-share is enabled, it can also publish solutions without per-item confirmation.
The skill authorizes autonomous tool use for searching and voting, and optional automatic sharing if the user enables it. These behaviors fit the skill's purpose and are disclosed, but they affect external services.
"Search proactively without being asked"; "Set `REPOSIT_AUTO_SHARE=true` to share automatically"; "`vote_up` ... Triggers automatically"
Leave auto-share disabled unless you are comfortable with automatic publication, and review shared content for secrets or proprietary details.
Anyone or any process with access to the token could potentially act as the user on Reposit for supported actions.
The skill uses a Reposit account token for sharing and voting. Credential use is expected and disclosed, and the artifact advises restrictive file permissions.
Token is saved to `~/.reposit/config.json`; `export REPOSIT_TOKEN=your-api-token`
Protect ~/.reposit/config.json with restrictive permissions, avoid sharing the token, and revoke it if the machine or configuration is exposed.
The agent may rely on community solutions that are not guaranteed to be correct or safe.
The skill brings community-provided solution content into the agent's working context. That is the intended function, but external solution content can be incomplete, outdated, or unsafe.
Reposit is a community knowledge base for AI agents. Search for existing solutions ... Present findings with their community scores
Treat retrieved solutions as suggestions, review code changes before applying them, and be cautious with low-scored or security-sensitive recommendations.