The Agent Skills Directory

[PROMPT_INJECTION] (HIGH): The skill exhibits a significant Indirect Prompt Injection surface (Category 8).
Ingestion points: The agent is designed to read and parse content from .kiro/specs/**/*.md and .kiro/steering/*.md (referenced in SKILL.md and hooks-integration.md).
Boundary markers: No explicit delimiters or instructions to ignore embedded commands within the ingested markdown files are provided in the prompt templates.
Capability inventory: The skill utilizes Write and Edit tools to modify the filesystem and defines a system for executing shell (bash) and Python scripts via PreToolUse and PostToolUse hooks.
Sanitization: There is no evidence of sanitization or validation of the natural language content before it is processed by the agent or passed to the hook scripts.
[COMMAND_EXECUTION] (HIGH): The 'Hooks' integration pattern described in references/hooks-integration.md facilitates arbitrary command execution. The skill encourages the use of local scripts (e.g., .kiro/hooks/validate-requirements.py) triggered by tool usage. If an attacker can modify these hook scripts or the hooks.json configuration, they can achieve persistent code execution on the agent's host environment.
[EXTERNAL_DOWNLOADS] (LOW): While the automated scanner flagged requirements.md and related paths as 'Malicious URLs', this appears to be a false positive triggered by the path concatenation syntax. No actual external malicious URLs were identified in the analyzed content; however, the 'sync' workflow implies potential network activity to a 'canonical model' which is not fully defined.

kiro-integration