Kiro AI — agentic threat model
Kiro AI presents a high-risk profile due to its deep integration into local development environments and AWS cloud infrastructure, combined with autonomous tool execution via MCP. Without explicit sandboxing or verification controls mentioned, compromised agent hooks or prompt injections could lead to unauthorized code execution and cloud resource abuse.
OWASP AIVSS score rationale
| Autonomy of Action | 0.70 | |
| Goal-Driven Planning | 0.80 | |
| Self-Modification | 0.30 | |
| Dynamic Tool Use | 0.80 | |
| Persistent Memory | 0.60 | |
| Contextual Awareness | 0.70 | |
| Dynamic Identity | 0.30 | |
| Multi-Agent Interactions | 0.50 | |
| Non-Determinism | 0.60 | |
| Opacity & Reflexivity | 0.50 |
Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.
MAESTRO 7-layer threat model
Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.
Not certain from the listing — Kiro AI is closed source and does not specify the underlying foundation models used for multimodal chat and code generation. Potential threats include prompt injection bypassing system instructions or model reprogramming.
Not certain from the listing — No details on vector databases or training data are provided, though it manages context across sessions. Threats include context/session poisoning and exfiltration of proprietary codebase data.
Uses agent hooks, MCP integration, and spec-driven development to orchestrate tasks. Threats include insecure tool integration via MCP, tool misuse (e.g., executing malicious commands), and manipulation of the planning phase.
Not certain from the listing — The hosting architecture of the IDE (local vs. cloud-hosted) is not fully detailed, though it features seamless AWS integration. Threats include local privilege escalation, exposure of AWS credentials, and lack of sandboxing for generated code execution.
Not certain from the listing — No mention of built-in guardrails, logging, or evaluation frameworks to monitor agent decisions. Gaps here could lead to undetected malicious code generation or unauthorized AWS deployments.
Not certain from the listing — No explicit security certifications, access control policies, or compliance alignments are mentioned.
Features intelligent agents and agent hooks with MCP integration for external tools/data. Threats include cascading failures from untrusted MCP tools or rogue agent-to-agent interactions during multi-step development tasks.
MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).
These scores are auto-generated from public information (the agent's own listing, docs, and repository) using the canonical OWASP AIVSS formula and the MAESTRO framework — an estimate for guidance, not a penetration test, audit, or certification. See the scoring methodology. Are you the vendor? Factual corrections are free.