Skills
skills/truefoundry/tfy-gateway-skills/truefoundry-status/Gen Agent Trust Hub

truefoundry-status

Pass

Audited by Gen Agent Trust Hub on Apr 15, 2026

Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
  • [COMMAND_EXECUTION]: The skill executes local bash scripts scripts/tfy-api.sh and scripts/tfy-version.sh to perform connectivity tests and version detection. It also utilizes the tfy CLI and curl for interacting with the TrueFoundry platform.
  • [EXTERNAL_DOWNLOADS]: The documentation recommends the installation of the vendor's own Python package (truefoundry) and provides links to official TrueFoundry documentation for credential generation. These resources are consistent with the skill's stated purpose and originate from the author's infrastructure.
  • [DATA_EXPOSURE]: The script scripts/tfy-api.sh reads and parses the .env file in the current directory to retrieve sensitive credentials such as TFY_API_KEY. This is a standard functional requirement for local development tools and the script uses a manual line-by-line parser to prevent code execution that could occur if the file were sourced directly.
  • [INDIRECT_PROMPT_INJECTION]: The skill ingests data from external local files which presents a theoretical attack surface.
  • Ingestion points: Processes configuration data from the .env file via scripts/tfy-api.sh.
  • Boundary markers: None present for the .env file content parsing.
  • Capability inventory: Executes network operations via curl and system commands via the tfy CLI.
  • Sanitization: The .env parser implements a restricted line-by-line reading logic to avoid shell injection. The tfy-api.sh script includes validation to prevent path traversal (..) in API endpoint paths.
Audit Metadata
Risk Level
SAFE
Analyzed
Apr 15, 2026, 06:04 AM
Security Audit — agent-trust-hub — truefoundry-status