neo-team-kiro
Warn
Audited by Gen Agent Trust Hub on Apr 22, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill provides a comprehensive list of shell commands for managing and querying live infrastructure using
kubectl,psql,argocd, anddockerin thereferences/system-analyzer-cli-tools.mdfile. While intended for diagnostics, these commands grant significant control over the deployment environment. - [DATA_EXFILTRATION]: The
references/system-analyzer.mdinstructions guide the agent to read sensitive environment files (e.g.,.env.sit,.env.uat,.env.prod) to retrieve configuration and database credentials. Reading these files exposes secrets to the agent's context. - [DATA_EXFILTRATION]: The system analyzer agent is instructed to fetch logs and database records which may contain sensitive data, PII, or internal system details.
- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection by design, as it incorporates untrusted data from project files (
CLAUDE.md,AGENTS.md) and live system logs into agent prompts.- Ingestion points:
SKILL.md(project documentation),references/system-analyzer.md(infrastructure logs and database query results). - Boundary markers: The orchestration logic uses Markdown headers to separate context but lacks explicit safety instructions to prevent the execution of commands found within the data.
- Capability inventory: The subagents possess extensive capabilities including shell access (
Bash), file reading (fs_read), and file modification (Write,Edit). - Sanitization: There is no evidence of sanitization, filtering, or validation of the content read from external files or logs before it is passed to the LLM.
- Ingestion points:
Audit Metadata