Skills
skills/truefoundry/tfy-agent-skills/truefoundry-ai-monitoring/Gen Agent Trust Hub

truefoundry-ai-monitoring

Pass

Audited by Gen Agent Trust Hub on Apr 19, 2026

Risk Level: SAFE
Full Analysis
  • [COMMAND_EXECUTION]: The skill utilizes a custom Bash script scripts/tfy-api.sh to facilitate authenticated API requests using curl. The script is securely implemented with specific protections against path traversal and shell injection by using array-based argument passing.
  • [EXTERNAL_DOWNLOADS]: The skill documentation recommends the installation of the truefoundry Python package. This is a legitimate vendor resource provided by the skill's author for interacting with the platform.
  • [PROMPT_INJECTION]: The skill possesses an indirect prompt injection surface common in monitoring tools that ingest untrusted data (AI gateway spans).
  • Ingestion points: Untrusted data enters the agent context through the response from the /api/svc/v1/spans/query endpoint.
  • Boundary markers: Absent; the data is parsed and presented directly to the user.
  • Capability inventory: The skill uses scripts/tfy-api.sh (Bash/curl) to perform platform operations.
  • Sanitization: Absent; the skill relies on the agent's display logic to format span attributes and messages into tables. The risk is considered negligible as the data is used for display purposes only.
  • [SAFE]: Sensitive platform credentials like TFY_API_KEY are handled exclusively via environment variables or .env files. The skill correctly instructs users on how to generate and store these keys securely without hardcoding them.
Audit Metadata
Risk Level
SAFE
Analyzed
Apr 19, 2026, 11:53 PM