truefoundry-integrations
Pass
Audited by Gen Agent Trust Hub on Apr 19, 2026
Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- [SAFE]: The skill implements a comprehensive security policy for credential handling, requiring the use of
tfy-secret://URIs. It explicitly instructs the agent to refuse raw API keys and never echo or store sensitive tokens in conversation history. - [COMMAND_EXECUTION]: Authenticated API operations are performed through a dedicated helper script (
tfy-api.sh). This script includes safety checks to prevent path traversal and validates HTTP methods, ensuring that shell operations are restricted to the intended API surface. - [EXTERNAL_DOWNLOADS]: The skill references the installation of the
truefoundryCLI and Python SDK from standard registries. It also uses pinned container images from trusted repositories including TrueFoundry's ECR, Hugging Face (GHCR), and NVIDIA (NGC). - [SAFE]: Documentation within the skill correctly identifies and mitigates risks of indirect prompt injection by marking external sources (such as OpenAPI specifications and A2A agent cards) as untrusted. It mandates human-in-the-loop confirmation before processing data from these external endpoints.
Audit Metadata