repomix: attach_packed_output can bypass file-read secret scanning for supported local files
Repomix's MCP server exposes a normal file_system_read_file tool that reads absolute paths only after running the project's secret check. However, the attach_packed_output plus read_repomix_output flow can read arbitrary local .json, .txt, .md, or .xml files without the same safety check and without verifying that the file is actually a Repomix packed output. This is a medium-severity local MCP file-read boundary issue. The affected deployment is the documented repomix –mcp stdio …