The Agent Skills Directory

[SAFE]: The skill is well-structured and follows platform security guidelines. It includes explicit instructions for the agent to use secret management (tfy-secret://) for sensitive credentials.
[COMMAND_EXECUTION]: The script scripts/tfy-api.sh executes curl to communicate with the TrueFoundry API. The script includes input validation that blocks path traversal attempts (..) and restricts execution to a whitelist of standard HTTP methods.
[EXTERNAL_DOWNLOADS]: The skill references container images from well-known and trusted registries, including Amazon ECR (public.ecr.aws/truefoundrycloud), GitHub Container Registry (ghcr.io/huggingface), and NVIDIA Container Registry (nvcr.io/nim). It also provides instructions for installing the official vendor CLI from PyPI.
[PROMPT_INJECTION]: The skill contains defensive instructions in references/container-versions.md that explicitly forbid the agent from fetching or parsing content from external release pages, specifically to mitigate the risk of indirect prompt injection from third-party sources.

truefoundry-workspaces