Kiro steering file injection
What it detects
Override/injection language inside .kiro/steering/*.md files — system prompt override phrasing, persona-hijack instructions ("you are now..."), secrecy instructions ("never tell the user..."), or persistent exfiltration instructions ("always send...").
Kiro steering files are injected into every agent context in the project automatically — the same threat model as .cursorrules, but for Amazon's Kiro IDE (launched May 2026). Severity is CRITICAL when the file's frontmatter sets alwaysApply: true (injected on every single prompt) and HIGH when it's scoped to specific open files.
The same module also flags credential path references and network exfiltration patterns specifically inside steering files, since the automatic-injection context makes those higher-impact than the equivalent pattern in a one-off skill file.
Real example
Two .kiro/steering/ files flagged — the first publicly documented scanner finding in the Kiro artifact layer.
How to fix it
Steering files should contain project context and coding standards only — not behavioral overrides. Set alwaysApply: false unless the rule genuinely needs global scope across every agent task in the project; that alone reduces blast radius even before any content changes.