kiro-specs
Pass
Audited by Gen Agent Trust Hub on Mar 1, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION]: The skill exhibits a vulnerability surface for indirect prompt injection (Category 8). It retrieves data from the web using WebSearch and WebFetch tools to assist in creating design documents.\n
- Ingestion points: External content is fetched during the research phase (references/phase-2-design.md) and ingested into the agent's context.\n
- Boundary markers: There are no instructions to use delimiters or warnings to ignore instructions within the fetched content, increasing the risk of the agent obeying embedded commands.\n
- Capability inventory: The skill has extensive filesystem access (Write, Edit, Bash) and an implementation phase, which could be leveraged if malicious instructions are processed from the web.\n
- Sanitization: No sanitization or validation of the fetched external data is described or required in the guidelines.\n- [COMMAND_EXECUTION]: The detection logic provided in SKILL.md uses a shell script snippet with an unvalidated positional argument ($1) for file path construction. This allows for potential path traversal (e.g., using ../../) when the agent attempts to locate feature-specific specification files.
Audit Metadata