ralph-loop-kiro-specs
Pass
Audited by Gen Agent Trust Hub on Jun 29, 2026
Risk Level: SAFECOMMAND_EXECUTION
Full Analysis
- [COMMAND_EXECUTION]: The skill relies on local command execution to perform its primary functions. The runner script executes
kiro-cliwith the--trust-all-toolsflag, allowing the agent to perform actions without manual confirmation during the automation loop. Additionally, the agent is instructed to run project-specific shell commands such as typechecks, tests, and database migrations as part of the implementation phases. - [INDIRECT_PROMPT_INJECTION]: The skill has an attack surface for indirect prompt injection as it ingests untrusted project data to guide its actions. While intended for developer use on their own projects, the following factors characterize the surface:
- Ingestion points: The agent reads various Markdown files from the
.kiro/specs/and.kiro/steering/directories, includingrequirements.md,design.md, andtasks.mdin filereferences/ralph-loop-kiro-specs-prompt.md. - Boundary markers: The instructions do not define specific delimiters or instructions to ignore commands that may be embedded within the specification or steering files.
- Capability inventory: The agent possesses shell execution and filesystem modification capabilities through its tools, which are executed autonomously via the runner script.
- Sanitization: No sanitization or filtering is applied to the content of the spec files before they are read and processed by the agent.
- [SAFE]: The skill operates entirely on local files and project contexts. All external references point to legitimate developer resources, such as the official Kiro documentation and the original open-source project on GitHub. No evidence of malicious exfiltration or obfuscation was found.
Audit Metadata