The Agent Skills Directory

[COMMAND_EXECUTION]: The skill constructs shell commands by interpolating values from .candid/config.json and ~/.candid/config.json without sanitization. Specifically, the mergeTargetBranches values are used directly in git diff <branch>...HEAD commands, allowing an attacker to execute arbitrary commands by supplying a malicious branch name in a repository's configuration file.
[COMMAND_EXECUTION]: The automatic commit functionality (Step 9.5) executes git add using a list of modified file paths. If a repository contains files with maliciously crafted names, this can lead to command injection when the agent attempts to stage those files via a shell interface.
[PROMPT_INJECTION]: The skill is designed to analyze and process untrusted external code changes (git diffs), making it highly susceptible to indirect prompt injection. Malicious instructions embedded in code comments could manipulate the agent's review logic or trick it into using its file-editing and git-commit capabilities to introduce security vulnerabilities.
[COMMAND_EXECUTION]: The configuration schema defined in CONFIG.md includes buildCommand and testCommand fields designed to be executed as shell commands. This design pattern encourages the execution of unvalidated, user-supplied shell strings, presenting a significant system execution risk.

candid-review