I work with Fortigates and I noticed that they were sandboxing this file from the EPEL repository:
129406154ea25057f8d20d12f1e0b90f2a9494aca05b85070a2fdd2aed0ec746-filelists.xml.gz
I downloaded a sample from here and uploaded it to Virustotal
Everything says it is clean but it meets a Yara rule for a malicious Windows API. I tested this by downloading it on a Windows machine that was protected with Sentinelone and Sentinelone sandboxed it too, but for behavior.
Since it is an XML file it can contain bad _javascript_, scripting can be embedded in XML. I have not examined the code yet, I am simply reporting what I found because it may be of interest. I think this is important because this is the only repository you can use to install Clamav and Rkhunter in RedHat type Linux distros. This may be a false positive because I have examined no code, but I did see Sentinelone sandbox it when I unpacked it on Windows.
Thanks,
Michael Lazin
.. τὸ γὰρ αὐτὸ νοεῖν ἐστίν τε καὶ εἶναι.