truefoundry-secrets
Pass
Audited by Gen Agent Trust Hub on Apr 19, 2026
Risk Level: SAFE
Full Analysis
- [SAFE]: The skill implements a strict security policy for handling credentials. It prohibits the agent from displaying, logging, or accepting raw secret values directly, requiring the use of environment variables instead.
- [SAFE]: Mandatory confirmation rules are established for critical actions. The agent is instructed to never auto-select workspaces and to obtain human approval before executing create, update, or delete operations.
- [SAFE]: Mitigation against indirect prompt injection is explicitly documented. The instructions warn the agent against fetching or parsing content from third-party release pages, directing it to use pinned container image versions from a trusted internal list.
- [SAFE]: The
tfy-api.shscript is a restricted wrapper for the vendor's API. It includes validation logic to prevent path traversal and only interacts with the user-defined TrueFoundry base URL. - [SAFE]: All external dependencies, such as the
truefoundryPython package and the CLI, are vendor-owned and part of the expected infrastructure for this skill.
Audit Metadata