kiro-extension
by kelexine
Overview
Manages a spec-driven development workflow within the Gemini CLI, guiding feature development from requirements to design, task generation, and execution with state machine enforcement.
Installation
node dist/kiro-server.jsSecurity Notes
The `kiroScaffold` function, which creates files and directories based on the `file-structure` block in `design.md`, is vulnerable to path traversal. The `cleanPath` variable, derived from user-controlled content in `design.md`, is joined with `process.cwd()` without sufficient sanitization (e.g., removing '..' segments). This allows a malicious user or a compromised AI to craft paths like `../../../../evil.txt`, potentially writing files outside the intended project directory to arbitrary locations on the file system. While the server communicates over stdio (not directly exposed network ports), this file system write vulnerability is critical.
Similar Servers
gemini-cli
The A2A (Agent-to-Agent) server implementation for the Gemini CLI, exposing tools and resources via the Model Context Protocol (MCP) to extend Gemini CLI capabilities.
geminimcp
Integrates Google's Gemini CLI with Claude Code as an MCP server for AI-assisted programming, particularly strong in frontend design.
gemini-flow
An AI workflow orchestration and execution platform that enables visual programming and integrates with Google's Gemini and Vertex AI services.
gemini-cli-desktop
Provides a powerful cross-platform desktop and web interface for interacting with Gemini CLI, Qwen Code, and LLxprt Code, offering visual tool confirmation, real-time thought processes, and chat history management for AI agent development workflows.