The Agent Skills Directory

[COMMAND_EXECUTION]: The skill utilizes a bash script scripts/tfy-api.sh which serves as an authenticated wrapper around curl to interact with the TrueFoundry REST API. This script implements safe environment variable loading and validates HTTP methods and paths to prevent command injection and path traversal.
[CREDENTIALS_UNSAFE]: The skill is designed to handle sensitive Personal Access Tokens (PATs). It incorporates a robust 'Security Policy: Credential Handling' section that strictly prohibits the agent from repeating, storing, or logging token values. It mandates masking tokens by default and only showing full values once upon explicit user confirmation.
[DATA_EXFILTRATION]: Communication is restricted to the user-provided TFY_BASE_URL. Credentials are sent via standard Authorization headers. Analysis confirms that network operations are directed at the vendor's platform and do not involve unauthorized third-party domains.
[INDIRECT_PROMPT_INJECTION]: The skill processes data from API responses, such as lists of token names, which represent a potential surface for indirect injection.
Ingestion points: Output from API calls made via tfy-api.sh in SKILL.md.
Boundary markers: Data is typically formatted into Markdown tables as specified in the presentation instructions.
Capability inventory: The agent has access to the Bash tool for network operations and file reads of configuration files like .env.
Sanitization: No explicit content sanitization of API strings is performed before they are processed by the agent.

truefoundry-access-tokens