Skills
skills/truefoundry/tfy-agent-skills/truefoundry-tracing/Gen Agent Trust Hub

truefoundry-tracing

Pass

Audited by Gen Agent Trust Hub on Apr 19, 2026

Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSDATA_EXFILTRATIONREMOTE_CODE_EXECUTION
Full Analysis
  • [COMMAND_EXECUTION]: Uses the helper script 'scripts/tfy-api.sh' to execute authenticated 'curl' commands for managing resources via the TrueFoundry REST API.
  • [COMMAND_EXECUTION]: Employs 'pip' and 'npm' to install required dependencies including 'traceloop-sdk' and '@traceloop/node-server-sdk'.
  • [COMMAND_EXECUTION]: Runs local scripts such as 'tfy-version.sh' and the 'tfy' CLI for system environment checks and resource deployment.
  • [EXTERNAL_DOWNLOADS]: Downloads software packages from official public registries (PyPI, NPM) and references container images from well-known providers like Amazon ECR and GitHub Container Registry.
  • [DATA_EXFILTRATION]: Retrieves sensitive API keys from the local environment or '.env' files to provide authentication for requests sent to the user-configured TrueFoundry platform URL.
  • [REMOTE_CODE_EXECUTION]: Supports manifest-driven application builds from remote Git repositories as part of the service deployment workflow.
  • [PROMPT_INJECTION]: Includes security guidance regarding the risks of indirect prompt injection when processing external metadata from agent card URLs or remote OpenAPI specifications.
Audit Metadata
Risk Level
SAFE
Analyzed
Apr 19, 2026, 11:53 PM
Security Audit — agent-trust-hub — truefoundry-tracing