hand-over-to-kiro
Pass
Audited by Gen Agent Trust Hub on Jun 29, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTIONEXTERNAL_DOWNLOADS
Full Analysis
- [COMMAND_EXECUTION]: The skill uses the
Bashtool to invokekiro-cli. It explicitly configures the tool with the--trust-all-toolsflag when running in non-interactive mode, which grants the external agent full autonomy to execute its own internal tools and modify the filesystem. - [PROMPT_INJECTION]: The skill processes untrusted user input which is passed to an external AI agent, creating a surface for indirect prompt injection.
- Ingestion points: User input is provided via the
$requestargument inSKILL.md. - Boundary markers: Instructions mandate the use of XML-style boundary tags (e.g.,
<task>,<plan>,<context>) to separate instructions from content. - Capability inventory: The
Bashtool is used to executekiro-cli, which possesses the capability to modify the local filesystem and interact with the environment. - Sanitization: The agent is explicitly instructed to rephrase user input into a structured format rather than passing it verbatim and to use a single-quoted heredoc to prevent shell expansion of the prompt content.
- [EXTERNAL_DOWNLOADS]: The skill references
kiro.devfor documentation and installation. It contains a security guardrail preventing the agent from automatically downloading or installing the CLI tool, ensuring the user remains in control of software installation.
Audit Metadata