Kiro
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: kiro Version: 1.0.0 The bundle provides a comprehensive guide and scaffolding tools for the 'Kiro' agentic IDE workflow, focusing on spec-driven development and automation. It contains a harmless Python script (scripts/create-spec.py) for generating markdown templates and extensive documentation (SKILL.md, references/) regarding hooks, steering rules, and Model Context Protocol (MCP) integrations. No evidence of malicious intent, data exfiltration, or prompt injection was found; the high-risk capabilities described (such as shell command execution via hooks) are standard features of the documented developer tool and are not exploited within the bundle.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A misconfigured hook could run commands, change files, or deploy code automatically during normal development actions.
The hooks reference shows user-configurable automation that can run shell commands and deploy to production on a Git push. This is expected for a workflow-automation guide, but high-impact hooks should be reviewed and explicitly approved.
trigger: git.push branch: main action: run "vercel --prod"
Use hooks only for clearly understood tasks, avoid destructive commands, and require review for deploy or deletion workflows.
If broad tokens are configured, Kiro-connected tools may be able to read or modify repositories, databases, or workspace content.
The MCP examples use service credentials such as GitHub tokens, database URLs, and Slack bot tokens. These are purpose-aligned for integrations but can grant account or workspace authority.
"GITHUB_TOKEN": "${GITHUB_TOKEN}"Use least-privilege tokens, limit repositories/workspaces, rotate credentials, and avoid sharing API keys.
External packages run as part of MCP setup could inherit the permissions and credentials granted to the integration.
The guide shows MCP servers launched through npx with automatic package acceptance. This is a common, purpose-aligned setup pattern, but users should verify package provenance and versions.
"command": "npx", "args": ["-y", "@modelcontextprotocol/server-github"]
Prefer trusted packages, pin versions where possible, and review MCP server permissions before enabling them.
Project rules may continue affecting future agent actions, including rules added by collaborators or copied from templates.
The skill describes persistent steering files that define custom rules and project context. This is core to Kiro, but persistent context can influence later agent behavior.
Steering - 通过 markdown 文件定义自定义规则和项目上下文
Review steering files before use, keep them project-scoped, and avoid treating unreviewed markdown as authoritative policy.
Enabled MCP servers may expose local files, repository data, database content, or workspace messages to the agent workflow.
The guide explicitly connects Kiro to MCP servers and external APIs. This is disclosed and purpose-aligned, but data boundaries depend on which servers and paths the user enables.
Model Context Protocol (MCP) 允许 Kiro 连接到外部工具、API 和数据源
Enable only needed MCP servers, restrict allowed paths, and separate credentials by project or environment.