tanav.aiScanResearchARDGet Started
Open appTry free scan →
Checkers / CHK-119
CHK-119
HIGH – CRITICAL

Kiro steering file injection

category: tool_poison / skill_issue · source: services/scanner/kiro_scanner.py
OWASP MCP Top 10MCP-T03Tool Poisoning

What it detects

Override/injection language inside .kiro/steering/*.md files — system prompt override phrasing, persona-hijack instructions ("you are now..."), secrecy instructions ("never tell the user..."), or persistent exfiltration instructions ("always send...").

Kiro steering files are injected into every agent context in the project automatically — the same threat model as .cursorrules, but for Amazon's Kiro IDE (launched May 2026). Severity is CRITICAL when the file's frontmatter sets alwaysApply: true (injected on every single prompt) and HIGH when it's scoped to specific open files.

The same module also flags credential path references and network exfiltration patterns specifically inside steering files, since the automatic-injection context makes those higher-impact than the equivalent pattern in a one-off skill file.

Real example

affaan-m/everything-claude-code177k★CONFIRMED

Two .kiro/steering/ files flagged — the first publicly documented scanner finding in the Kiro artifact layer.

How to fix it

Remove override/injection instructions from Kiro steering files

Steering files should contain project context and coding standards only — not behavioral overrides. Set alwaysApply: false unless the rule genuinely needs global scope across every agent task in the project; that alone reduces blast radius even before any content changes.