kiro-extension
by kelexine
Overview
Manages a spec-driven development workflow within the Gemini CLI, guiding feature development from requirements to design, task generation, and execution with state machine enforcement.
Installation
node dist/kiro-server.jsSecurity Notes
The `kiroScaffold` function, which creates files and directories based on the `file-structure` block in `design.md`, is vulnerable to path traversal. The `cleanPath` variable, derived from user-controlled content in `design.md`, is joined with `process.cwd()` without sufficient sanitization (e.g., removing '..' segments). This allows a malicious user or a compromised AI to craft paths like `../../../../evil.txt`, potentially writing files outside the intended project directory to arbitrary locations on the file system. While the server communicates over stdio (not directly exposed network ports), this file system write vulnerability is critical.
Similar Servers
gemini-cli
Provides an A2A (Agent-to-Agent) server for the Gemini CLI, enabling external agents to interact with and utilize the CLI's capabilities for executing tasks and accessing tools.
geminimcp
Integrates Google's Gemini CLI with Claude Code as an MCP server for AI-assisted programming, particularly strong in frontend design.
gemini-flow
An AI workflow orchestration and execution platform that enables visual programming and integrates with Google's Gemini and Vertex AI services.
gemini-cli-desktop
A cross-platform desktop and web UI for interacting with AI models (Gemini CLI, Qwen Code, LLxprt Code) through ACP and MCP, featuring tool confirmation, code diffing, chat history, and file browsing.