hand-over-to-kiro

Pass

Audited by Gen Agent Trust Hub on Jun 29, 2026

Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTIONEXTERNAL_DOWNLOADS
Full Analysis
  • [COMMAND_EXECUTION]: The skill uses the Bash tool to invoke kiro-cli. It explicitly configures the tool with the --trust-all-tools flag when running in non-interactive mode, which grants the external agent full autonomy to execute its own internal tools and modify the filesystem.
  • [PROMPT_INJECTION]: The skill processes untrusted user input which is passed to an external AI agent, creating a surface for indirect prompt injection.
  • Ingestion points: User input is provided via the $request argument in SKILL.md.
  • Boundary markers: Instructions mandate the use of XML-style boundary tags (e.g., <task>, <plan>, <context>) to separate instructions from content.
  • Capability inventory: The Bash tool is used to execute kiro-cli, which possesses the capability to modify the local filesystem and interact with the environment.
  • Sanitization: The agent is explicitly instructed to rephrase user input into a structured format rather than passing it verbatim and to use a single-quoted heredoc to prevent shell expansion of the prompt content.
  • [EXTERNAL_DOWNLOADS]: The skill references kiro.dev for documentation and installation. It contains a security guardrail preventing the agent from automatically downloading or installing the CLI tool, ensuring the user remains in control of software installation.
Audit Metadata
Risk Level
SAFE
Analyzed
Jun 29, 2026, 04:32 AM
Security Audit — agent-trust-hub — hand-over-to-kiro