The Agent Skills Directory

[PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it processes untrusted code changes via git diff and repository source files, then incorporates this content into a prompt for an external AI (kiro-cli). The instruction template lacks explicit boundary markers or sanitization to prevent instructions embedded within the code from overriding the review task.\n
Ingestion points: git diff output and source file content (via kiro-cli tool use) in SKILL.md.\n
Boundary markers: Absent in the review prompt templates provided in SKILL.md.\n
Capability inventory: The skill can read any file in the repository and transmit data externally via kiro-cli in SKILL.md.\n
Sanitization: No sanitization or escaping is applied to the code content before it is processed by the AI.\n- [DATA_EXFILTRATION]: The skill reads project source code and diffs, sending this information to an external AI service via kiro-cli chat. While this is the intended purpose, it poses a data exposure risk if the codebase contains sensitive information or hardcoded secrets.\n- [COMMAND_EXECUTION]: The workflow relies on executing shell commands, including git and kiro-cli. It explicitly recommends using the -a (trust all tools) flag for kiro-cli, which grants the underlying AI agent high privileges to access the filesystem without further confirmation. Additionally, dynamic prompt construction involving user-supplied descriptions could lead to command injection if not handled carefully by the agent.\n- [EXTERNAL_DOWNLOADS]: The skill has a mandatory dependency on the external kiro-cli tool. The security of the operation depends on the integrity and safety of this third-party CLI which is not part of the skill package itself.

kiro-review