ralph-loop-kiro-specs

Pass

Audited by Gen Agent Trust Hub on Jun 29, 2026

Risk Level: SAFECOMMAND_EXECUTION
Full Analysis
  • [COMMAND_EXECUTION]: The skill relies on local command execution to perform its primary functions. The runner script executes kiro-cli with the --trust-all-tools flag, allowing the agent to perform actions without manual confirmation during the automation loop. Additionally, the agent is instructed to run project-specific shell commands such as typechecks, tests, and database migrations as part of the implementation phases.
  • [INDIRECT_PROMPT_INJECTION]: The skill has an attack surface for indirect prompt injection as it ingests untrusted project data to guide its actions. While intended for developer use on their own projects, the following factors characterize the surface:
  • Ingestion points: The agent reads various Markdown files from the .kiro/specs/ and .kiro/steering/ directories, including requirements.md, design.md, and tasks.md in file references/ralph-loop-kiro-specs-prompt.md.
  • Boundary markers: The instructions do not define specific delimiters or instructions to ignore commands that may be embedded within the specification or steering files.
  • Capability inventory: The agent possesses shell execution and filesystem modification capabilities through its tools, which are executed autonomously via the runner script.
  • Sanitization: No sanitization or filtering is applied to the content of the spec files before they are read and processed by the agent.
  • [SAFE]: The skill operates entirely on local files and project contexts. All external references point to legitimate developer resources, such as the official Kiro documentation and the original open-source project on GitHub. No evidence of malicious exfiltration or obfuscation was found.
Audit Metadata
Risk Level
SAFE
Analyzed
Jun 29, 2026, 12:01 AM
Security Audit — agent-trust-hub — ralph-loop-kiro-specs