tenzir-review-changes
Pass
Audited by Gen Agent Trust Hub on May 12, 2026
Risk Level: SAFEPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION]: The skill is designed to process external and potentially untrusted data, including pull request descriptions, commit messages, and reviewer comments. This design creates an inherent surface for indirect prompt injection, where an adversary could attempt to influence the agent's review process or drafted responses by embedding instructions within the content being reviewed.
- Ingestion points: The agent loads text directly from
references/reviewer-feedback.mdand external GitHub metadata (PR descriptions, comments, commit history) into its context. - Boundary markers: There are no specific instructions or delimiters provided to separate untrusted external content from the core review instructions, increasing the risk of the agent conflating data with instructions.
- Capability inventory: The agent performs analysis, synthesizes findings, and drafts replies to human reviewers, which are critical paths that could be manipulated by malicious input.
- Sanitization: The process does not define any validation or sanitization steps for the external text before it is analyzed.
Audit Metadata