candid-review
Pass
Audited by Gen Agent Trust Hub on Feb 21, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION] (MEDIUM): The validation procedure instructs the agent to run 'jq' shell commands using variable file paths (e.g.,
jq empty [config_path]). If the agent does not properly escape the filename before interpolation into a shell-capable tool, a maliciously named file in a project directory could trigger command injection. Severity is dropped to LOW as this is a core functional requirement for config validation. - [PROMPT_INJECTION] (LOW): Indirect Prompt Injection Surface (Category 8). The skill ingests and acts upon untrusted configuration data found in the current working directory.
- Ingestion points: The
.candid/config.jsonfile in the project root. - Boundary markers: Absent; there are no instructions for the agent to treat the JSON fields as data only or to ignore instructions that might be embedded in string values.
- Capability inventory: The skill utilizes file reading (Read tool), shell execution (jq), and has the capacity to write files (via the decision register feature).
- Sanitization: The documentation specifies schema validation (type and enum checks) but does not provide security-specific sanitization or validation for file paths (e.g., preventing path traversal in
decisionRegister.path) or shell command components.
Audit Metadata