kiro-skill
Fail
Audited by Gen Agent Trust Hub on Feb 15, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- Indirect Prompt Injection (HIGH): The skill's architecture is built around ingesting untrusted external data.
- Ingestion points:
helpers/workflow-diagrams.mdexplicitly defines a flow where the agent reads.kiro/specs/requirements.md,design.md, andtasks.mdto determine its next actions. - Boundary markers: The instructions provide no delimiters or 'ignore embedded instructions' warnings for the agent when it parses these specification files.
- Capability inventory: The agent is authorized to generate 'CLI commands' and 'code snippets' for an 'autonomous process' to execute, creating a direct path from untrusted file content to system operations.
- Sanitization: No sanitization or validation logic is present to filter malicious content from the specification files.
- Malicious URL Detection (HIGH): Automated scans (URLite) flagged a blacklisted URL within the
requirements.mdfile associated with this workflow. This confirms the attack surface is active and contains known malicious indicators. - Command Execution (MEDIUM): The 'Kiro Identity' instructions encourage the agent to be 'decisive' and include 'CLI commands'. Combined with the ingestion of untrusted files, this increases the risk of the agent being manipulated into generating harmful shell commands.
Recommendations
- AI detected serious security threats
- Contains 1 malicious URL(s) - DO NOT USE
Audit Metadata