truefoundry-docs
Pass
Audited by Gen Agent Trust Hub on Apr 19, 2026
Risk Level: SAFE
Full Analysis
- [DATA_EXPOSURE]: The skill correctly handles platform credentials using environment variables (
TFY_API_KEY) and.envfiles. It explicitly instructs users and agents never to hardcode secrets and to use the platform's secret management system (tfy-secret://) for sensitive data in deployment manifests. - [EXTERNAL_DOWNLOADS]: The skill fetches documentation content from official vendor domains (
truefoundry.com). It also recommends installing the official vendor CLI (truefoundry) via pip, which is standard practice for this platform's integrations. - [PROMPT_INJECTION]: A dedicated 'Security: Third-Party Content' section in the reference files warns against fetching or ingesting content from untrusted release pages (GitHub, HuggingFace, etc.) to prevent indirect prompt injection attacks, demonstrating a strong security posture.
- [COMMAND_EXECUTION]: Shell commands are used for fetching documentation and interacting with the TrueFoundry API. The provided
tfy-api.shscript includes basic path validation to prevent path traversal and ensures requests are correctly authenticated. - [SAFE]: The skill includes a mandatory confirmation rule for workspace selection, preventing accidental deployments or modifications to the wrong environment.
Audit Metadata