deploy
Pass
Audited by Gen Agent Trust Hub on Mar 11, 2026
Risk Level: SAFE
Full Analysis
- [COMMAND_EXECUTION]: The skill orchestrates deployments by executing the
tfyCLI,dockercommands, and local helper scripts (tfy-api.sh,tfy-version.sh). - [EXTERNAL_DOWNLOADS]: It relies on the
truefoundryandtruefoundry[async]Python packages, which are official vendor libraries retrieved from PyPI. - [SAFE]: The
tfy-api.shscript implements a manual line-by-line parser for.envfiles to avoid the security risks associated with thesourcecommand. - [SAFE]: The
tfy-api.shscript includes validation to ensure API paths start with a slash and do not contain path traversal sequences (..). - [PROMPT_INJECTION]: The skill analyzes local codebase files, such as
docker-compose.ymlandDockerfile, to automatically generate deployment manifests. While this represents an indirect prompt injection surface, the skill mandates user confirmation and promotes the use of dry-run previews to mitigate risk. - [CREDENTIALS_UNSAFE]: The skill facilitates the discovery and use of
TFY_API_KEYand other sensitive variables from the environment or.envfiles for authentication with the vendor's API.
Audit Metadata