deploy
Pass
Audited by Gen Agent Trust Hub on Mar 14, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
- [SAFE]: The skill follows security best practices by recommending the use of TrueFoundry's internal secret store (via
tfy-secret://URIs) instead of hardcoding sensitive credentials in deployment manifests. - [EXTERNAL_DOWNLOADS]: The skill facilitates the installation of the official
truefoundryPython package from PyPI. This is a trusted vendor dependency used for its CLI and SDK functionality. - [COMMAND_EXECUTION]: Bash scripts and the
tfyCLI are used to orchestrate deployments, verify environment health, and check for existing manifests. These operations are limited to the intended administrative tasks and do not involve executing untrusted remote code. - [SAFE]: Internal utility scripts such as
tfy-api.shandtfy-version.share transparent bash scripts that include basic security checks, such as preventing path traversal in API paths and using a safe parser for.envfiles rather than sourcing them directly. - [PROMPT_INJECTION]: While the skill ingests local project data (e.g.,
docker-compose.yml,Dockerfile), it provides explicit safety instructions inreferences/container-versions.mdforbidding the agent from fetching or ingesting content from third-party release pages, effectively mitigating indirect prompt injection risks from external sources.
Audit Metadata