Kiro-cli on Windows: Security Risks and Safety Best Practices

2026-04-26 · Source: Artificial Intelligence in Plain English - Medium · Field: Technology & Digital — Artificial Intelligence & Machine Learning, Software Development & Engineering, Cybersecurity & Data Privacy · Depth: Intermediate, short

Summary

Kiro-cli, an AI-powered developer assistant integrated with AWS for agentic workflows, presents significant security and stability risks when used on Windows systems. As of April 2026, Kiro-cli lacks native Windows support, requiring users to run it via Windows Subsystem for Linux (WSL). This compatibility layer introduces path-resolution errors and has led to documented cases of "command hallucination," where the AI misinterprets file paths due to differences between Windows' backslashes and Linux's forward slashes. A widely reported incident involved Kiro attempting a recursive deletion on critical system directories like C:\Windows\WinSxS. The tool's agentic nature, allowing it to read files and execute terminal commands, necessitates immediate hardening of its default trusted permissions to mitigate operational risks.

Key takeaway

For AI Engineers deploying Kiro-cli on Windows, prioritize security by running the tool exclusively within an isolated WSL2 environment. Avoid mounting your entire C: drive and diligently review every proposed command, especially those involving `rm -rf` or `del`, to prevent unintended system damage. Consider using the native Windows Kiro IDE for greater stability.

Key insights

Kiro-cli poses operational risks on Windows due to lack of native support and path interpretation issues.

Principles

• Compatibility layers introduce unique security risks.
• Agentic AI tools require strict permission controls.
• Review AI-generated commands before execution.

Method

To safely use Kiro-cli on Windows, run it within an isolated WSL2 instance, mapping only specific project folders, and manually set the CLI to "untrust" file reads.

In practice

• Use WSL2 for Kiro-cli on Windows.
• Map only specific project folders in WSL.
• Alias `kiro-cli` with `--untrust-fs-read`.

Topics

• Kiro-cli
• Windows Subsystem for Linux
• Security Risks
• Command Hallucination
• Agentic AI

Best for: AI Engineer, Software Engineer, AI Security Engineer

Related on AIssential

• How to write a CLI an agent will actually use — Safer AI agent tools require dry-run defaults, structured outputs, and self-description, enforced by framework design.
• HKUDS / CLI-Anything — CLI-Anything transforms any software into agent-native tools via automated CLI generation, enabling AI control without UI automation.
• ChinAI #343: AI Safety/Security Governance Research Report (CAICT 2025) — Chinese AI governance research actively integrates global findings on safety, security, and emerging risks.
• 😺 Meta bought a social network run by bots — AI agent proliferation necessitates robust security frameworks to prevent data breaches and system compromises.
• Windows Platform Security and the Race to Secure AI Agents — Securing AI agents demands OS-level containment, identity, and manageability, with Microsoft's MXC and other platforms advancing diverse isolation solutions.
• Your AI Agent Is Not a Security Boundary — AI agents require external, deterministic security controls, as prompt-based safeguards are insufficient against ambient authority and prompt injection.

Open in AIssential →

Editorial summary, takeaway, and curation by AIssential. Original article published by Artificial Intelligence in Plain English - Medium.