neo-team-kiro
Fail
Audited by Gen Agent Trust Hub on Mar 16, 2026
Risk Level: HIGHCREDENTIALS_UNSAFECOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [CREDENTIALS_UNSAFE]: The system-analyzer agent is explicitly instructed to access and read sensitive environment files containing production and staging credentials.
- Evidence:
references/system-analyzer.mddefines a table of environment files including.env.sit,.env.uat, and.env.prod, and directs the agent to read these files to understand environment configuration. - [COMMAND_EXECUTION]: The skill provides extensive Bash access and CLI tool templates for interacting with live infrastructure.
- Evidence:
references/system-analyzer-cli-tools.mdlists commands forkubectl,psql,argocd, anddockerfor use in live systems. - Evidence:
references/system-analyzer.mdconfirms the use ofBashfor triage in SIT, UAT, and PROD environments. - [DATA_EXFILTRATION]: The agent is configured to load secrets into its shell environment, creating a high risk of exfiltration via the provided network-capable shell.
- Evidence:
references/system-analyzer-cli-tools.mdinstructs the agent to load credentials usingexport $(cat .env.sit | xargs), making those secrets available to subsequent shell commands. - [PROMPT_INJECTION]: The skill possesses a broad attack surface for indirect prompt injection without sufficient safeguards.
- Ingestion points:
references/system-analyzer.md(live logs, database records);SKILL.md(project context files likeCLAUDE.md). - Boundary markers: Absent. No specific delimiters or safety instructions are defined to separate untrusted data from agent instructions.
- Capability inventory:
Bash,kubectl,psql,argocd,Edit,Write, anduse_subagentacross multiple specialists. - Sanitization: Absent. The skill does not mention validation or sanitization of ingested logs or project documentation.
Recommendations
- AI detected serious security threats
Audit Metadata