Skills
skills/truefoundry/tfy-agent-skills/truefoundry-status/Gen Agent Trust Hub

truefoundry-status

Pass

Audited by Gen Agent Trust Hub on Apr 19, 2026

Risk Level: SAFE
Full Analysis
  • [COMMAND_EXECUTION]: The skill uses a localized helper script (scripts/tfy-api.sh) to perform authenticated API calls. This script is well-hardened, employing defensive techniques such as:
  • Strict validation of HTTP methods (GET, POST, PUT, PATCH, DELETE).
  • Path traversal protection (blocking '..' in API paths).
  • Safe .env parsing that avoids the dangerous source command by reading and exporting variables line-by-line using a regex-based bash parser.
  • [CREDENTIALS_UNSAFE]: The skill manages the TFY_API_KEY sensitive variable. It follows best practices by retrieving the key from environment variables or .env files rather than hardcoding. It also includes instructions for the agent to avoid printing raw token values in logs.
  • [EXTERNAL_DOWNLOADS]: The skill documentation includes instructions for users to install the truefoundry CLI and SDK using standard package managers (pip). These resources are officially maintained by the vendor (truefoundry).
  • [PROMPT_INJECTION]: The skill demonstrates high security awareness regarding indirect prompt injection. In references/container-versions.md, it explicitly instructs the AI agent NOT to fetch or parse content from external release pages (GitHub, HuggingFace, etc.), identifying them as untrusted sources that could contain adversarial instructions.
Audit Metadata
Risk Level
SAFE
Analyzed
Apr 19, 2026, 11:52 PM
Security Audit — agent-trust-hub — truefoundry-status