Skills
skills/truefoundry/tfy-agent-skills/truefoundry-agents/Gen Agent Trust Hub

truefoundry-agents

Pass

Audited by Gen Agent Trust Hub on Apr 19, 2026

Risk Level: SAFE
Full Analysis
  • [SAFE]: The skill is authored by the vendor TrueFoundry and manages resources on their own platform. No malicious patterns, obfuscation, or unauthorized behaviors were detected.
  • [COMMAND_EXECUTION]: The skill uses localized shell scripts (scripts/tfy-api.sh and scripts/tfy-version.sh) to perform version checks and execute API requests via curl. These scripts are well-authored and include safety checks such as whitelisting allowed HTTP methods and preventing path traversal (e.g., checking for '..') in API paths.
  • [SAFE]: Credential handling follows security best practices. The tfy-api.sh script includes a custom parser for .env files that avoids using dangerous commands like source or eval. Furthermore, the documentation explicitly instructs the agent and user to never hardcode or print API keys in logs.
  • [SAFE]: The skill includes proactive security guidance regarding third-party content. It explicitly warns the agent not to fetch or parse content from external URLs like GitHub or HuggingFace to prevent indirect prompt injection attacks.
  • [EXTERNAL_DOWNLOADS]: The skill documentation references the installation of the official truefoundry Python package from a public registry, which is a standard and expected dependency for this vendor's tools.
Audit Metadata
Risk Level
SAFE
Analyzed
Apr 19, 2026, 11:53 PM
Security Audit — agent-trust-hub — truefoundry-agents