openclaw-kirocli-coding-agent
WarnAudited by ClawScan on May 10, 2026.
Overview
This instruction-only coding-agent skill is purpose-aligned, but it recommends running external coding CLIs in the background with confirmation and sandbox bypass flags that can let them change code or run commands with limited oversight.
Only install this if you intentionally want OpenClaw to control local coding-agent CLIs. Use it in disposable or backed-up workspaces first, avoid `--trust-all-tools` and `--yolo` on important repositories, run with least-privilege accounts, and actively monitor or kill background sessions.
Findings (6)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A coding agent could make unintended file changes or run commands if the prompt, project context, or agent behavior goes wrong.
The skill presents trusted-tool execution without confirmation prompts as the standard Kiro automation path, which can allow the external coding agent to use tools or change project files without per-action approval.
OpenClaw will run: ```bash kiro-cli chat --no-interactive --trust-all-tools "your query" ``` ... **Use `--trust-all-tools`** — For automation without confirmation prompts
Prefer safer approval modes where possible, avoid `--trust-all-tools` or `--yolo` for sensitive projects, and require explicit user approval before mutations.
Users may assume the agent cannot access or affect files outside the selected project when that may not be true for shell-capable, no-sandbox tools.
The artifact describes `workdir` as if it reliably limits what the agent can see, while other instructions recommend no-sandbox or trust-all execution modes. That may cause users to overestimate containment.
`workdir` | string | Working directory (agent sees only this folder) ... **Why `workdir`?** The agent starts in a focused directory and won't wander into unrelated files.
Describe `workdir` as a working directory, not a security boundary, and advise users to use sandboxing, limited permissions, and backups.
A background coding agent may continue working after the initial message, so users need to monitor or stop sessions when appropriate.
The skill intentionally supports long-running background coding-agent sessions and provides monitoring and termination controls.
bash pty:true workdir:~/project background:true command:"codex exec --full-auto 'Build a snake game'" ... process action:log ... process action:poll ... process action:kill
Use timeouts where possible, regularly check running sessions, and kill sessions that are finished or unexpected.
Tasks may run with access tied to your logged-in provider identity, including project or cloud permissions available to that CLI.
The external CLI may operate using the user's authenticated provider account, which is expected for this integration but can carry account-level privileges.
After installation, run `kiro-cli login` to authenticate (supports GitHub, Google, AWS Builder ID, or IAM Identity Center).
Use least-privilege accounts or profiles, review the CLI's permissions, and avoid running trusted-tool modes with highly privileged credentials.
Project details or sensitive context may remain in saved agent sessions and influence future tasks.
The skill relies on a CLI that can persist sessions and reuse project context, which is useful but means project information and prior context may be retained or reused.
Kiro CLI ... Session persistence and conversation resume ... Steering files for project context
Avoid using persistent sessions for highly sensitive repositories unless acceptable, and review or clear saved sessions when needed.
Installing the external CLI this way runs code fetched from the network on the user's machine.
The README documents a user-directed remote shell installer for Kiro CLI; this is common for CLI installation but depends on the remote source at install time.
curl -fsSL https://cli.kiro.dev/install | bash
Install from official sources, inspect installer scripts when possible, and verify checksums or package signatures if available.