Kiro Agent Chat

Security checks across malware telemetry and agentic risk

Overview

This skill is a simple shared-file chat queue for agents, with expected but user-managed file persistence and deletion risks.

Install only if you control the shared queue location. Use a dedicated file with restrictive permissions, avoid putting secrets or authoritative instructions in messages, treat received messages as untrusted, and delete only IDs you have processed and no longer need.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 95% confidence
Finding: The skill documentation clearly instructs use of environment variables plus reading and writing a shared JSON file, yet no permissions are declared. This creates a transparency and policy-enforcement gap: an agent or operator may approve the skill without understanding it can modify files and consume env-provided data, which is especially relevant because the chat file may live on shared storage or be accessed over SSH.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The documentation includes a destructive deletion command for processed messages without any warning, confirmation step, or mention of recovery limitations. In a shared inter-agent queue, accidental or premature deletion can cause message loss, audit loss, coordination failure, or intentional suppression of evidence/messages by a misused agent.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal