kiro Security Report — Trusted | ClawSafe

5 /100

kiro

Kiro agentic IDE 开发工作流指南。使用 spec 驱动开发、hooks 自动化、steering 规则、MCP 集成和 powers 扩展。

Kiro development workflow skill containing only documentation and a benign file-creation utility script with no malicious indicators.

Skill Namekiro

Duration27.1s

Enginepi

✓

Safe to install

This skill is safe to use. No security concerns identified.

Resource	Declared	Inferred	Status	Evidence
Filesystem	`WRITE`	`WRITE`	✓ Aligned	SKILL.md:scripts/create-spec.py creates files in user-specified paths
Network	`NONE`	`NONE`	—	No network calls in code
Shell	`NONE`	`NONE`	—	create-spec.py uses only stdlib os/sys/argparse
Environment	`NONE`	`NONE`	—	No environment variable access
Skill Invoke	`NONE`	`NONE`	—	No cross-skill invocation
Clipboard	`NONE`	`NONE`	—	No clipboard access
Browser	`NONE`	`NONE`	—	No browser automation
Database	`NONE`	`NONE`	—	No database access

6 findings

🔗

Medium External URL 外部 URL

https://kiro.dev

SKILL.md:24

🔗

Medium External URL 外部 URL

https://kiro.dev/docs/

SKILL.md:192

🔗

Medium External URL 外部 URL

https://kiro.dev/docs/cli

SKILL.md:193

🔗

Medium External URL 外部 URL

https://kiro.dev/docs/getting-started/first-project/

SKILL.md:194

🔗

Medium External URL 外部 URL

https://discord.gg/kirodotdev

SKILL.md:197

📧

Info Email 邮箱地址

[email protected]

assets/steering-templates/project-rules.md:102

File Tree

7 files · 25.3 KB · 1324 lines

Markdown 5f · 1143L Python 1f · 176L JSON 1f · 5L

├─ ▾ 📁 assets

│ └─ ▾ 📁 steering-templates

│ └─ 📝 project-rules.md Markdown 225L · 4.3 KB

├─ ▾ 📁 references

│ ├─ 📝 hooks-reference.md Markdown 287L · 4.6 KB

│ ├─ 📝 mcp-servers.md Markdown 281L · 4.4 KB

│ └─ 📝 spec-template.md Markdown 138L · 2.5 KB

├─ ▾ 📁 scripts

│ └─ 🐍 create-spec.py Python 176L · 3.8 KB

├─ 📋 _meta.json JSON 5L · 123 B

└─ 📝 SKILL.md Markdown 212L · 5.6 KB

Security Positives

✓ Python script uses only standard library (os, sys, argparse, datetime)

✓ No subprocess or shell execution

✓ No network requests or data exfiltration

✓ No credential harvesting or sensitive path access

✓ File operations restricted to user-specified output directory

✓ Reference documentation is static and non-executable

✓ MCP server examples use standard patterns with environment variable placeholders

✓ No base64, eval(), or obfuscated code patterns

✓ No hidden functionality or disguised behavior

Scan Report

File Tree

Security Positives