Skills
skills/truefoundry/tfy-hermes-agent/deploy-hermes-slack-agent/Gen Agent Trust Hub

deploy-hermes-slack-agent

Pass

Audited by Gen Agent Trust Hub on Jun 14, 2026

Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
  • [COMMAND_EXECUTION]: The skill executes the npx @truefoundry/tfy-hermes-agent command to validate, compile, and deploy agent manifests. It also utilizes curl for health monitoring of the deployed API endpoints.
  • [EXTERNAL_DOWNLOADS]: The skill downloads and executes the @truefoundry/tfy-hermes-agent package from the npm registry. This is a vendor-owned resource necessary for the skill's operation.
  • [PROMPT_INJECTION]: The skill processes configuration data from hermes.yaml (Ingestion point). While the instructions do not specify explicit boundary markers for user input, the capability inventory is limited to vendor-specific CLI operations and basic network health checks. Sanitization is handled by the underlying TrueFoundry platform during the manifest compilation and deployment process. This constitutes a surface for indirect prompt injection.
  • [SAFE]: No indicators of malicious intent, such as obfuscation, persistence, or unauthorized data exfiltration, were found. The skill demonstrates a good security posture by explicitly forbidding the sharing of raw Slack tokens or API keys in the chat session, directing users to use managed SecretGroups instead.
Audit Metadata
Risk Level
SAFE
Analyzed
Jun 14, 2026, 09:22 AM
Security Audit — agent-trust-hub — deploy-hermes-slack-agent