KSE CLI 开发工作流
PassAudited by ClawScan on May 1, 2026.
Overview
This instruction-only skill coherently describes a kse CLI workflow, with the main thing to notice being an unpinned global npm CLI install.
This appears safe to use as a CLI workflow guide, but before installing you should verify the kiro-spec-engine npm package and preferably use a known version. Run kse commands only in the intended project folder and review file changes after init, spec creation, or document enhancement.
Findings (1)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing the package adds code to the user's system globally, so the user relies on the npm package being the intended and trustworthy CLI.
The workflow depends on installing a global npm package without a pinned version in the provided artifact. This is central to the CLI purpose, so it is a note rather than a concern, but it creates normal package-provenance and version-trust considerations.
npm install -g kiro-spec-engine
Verify the npm package and maintainer before installing; consider pinning a known version or using a project-local install if appropriate.