ClawHub

Repomix

v1.0.1

Pack and analyze codebases into AI-friendly single files using Repomix. Use when the user wants to explore repositories, analyze code structure, find pattern...

0· 113·0 current·0 all-time
by@yamadashy
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
Name/description (pack/analyze repositories) align with required binaries (npx) and the declared node install of the repomix npm package. Asking for npx and offering a repomix CLI is expected and proportionate.
Instruction Scope
SKILL.md instructs the agent to run npx repomix@latest against local or remote repos and to inspect the generated output with grep. This stays within the scope of repository analysis. However, the doc asserts that Repomix "automatically excludes potentially sensitive files (.env, API keys)" — that is a behavioural claim the instructions do not show how to verify. Users should not assume secrets are always excluded without validating output.
Install Mechanism
Install spec uses the npm package 'repomix' which is a common delivery path for CLI tools. Running 'npx repomix@latest' executes code fetched from the npm registry at runtime; this is normal for npm-based CLIs but carries moderate risk if the package or registry account is compromised. There is no use of arbitrary download URLs or obscure hosts.
Credentials
No environment variables, credentials, or config paths are requested. The permissions requested are minimal and consistent with the skill's purpose.
Persistence & Privilege
The skill does not request always:true, does not persist elevated privileges, and is user-invocable only. It does not attempt to modify other skills or system-wide settings.
Assessment
This skill appears coherent for packing and analyzing repositories, but take these precautions before installing or running it: 1) npx repomix@latest will download and execute the package code from the npm registry at runtime — only run it if you trust the package and maintainer, or consider installing a pinned, reviewed version instead of @latest. 2) Do not assume the tool removed secrets — verify the generated output (or run it against a cloned repository with secrets removed) to ensure no sensitive files were included. 3) Prefer outputting to a temporary directory as recommended and inspect file permissions. 4) If you need stronger assurance, review the repomix package source/release on its homepage or install from a pinned release/checked source before running. If you want, I can list specific commands to run safely (e.g., how to pin a version, audit the package, or run it in a disposable environment).

Like a lobster shell, security has layers — review code before you run it.

ai-contextvk977fhtpa82bmcmscpr55ecrhx83a8yzcode-analysisvk977fhtpa82bmcmscpr55ecrhx83a8yzcode-explorervk977fhtpa82bmcmscpr55ecrhx83a8yzcodebasevk977fhtpa82bmcmscpr55ecrhx83a8yzlatestvk97a71pb083yh7pab25txnspw183ae7krepositoryvk977fhtpa82bmcmscpr55ecrhx83a8yz

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

📦 Clawdis
Binsnpx

Install

Install Repomix CLI (npm)
Bins: repomix
npm i -g repomix

Comments