The Agent Skills Directory

[COMMAND_EXECUTION]: The skill uses a custom helper script scripts/tfy-api.sh to execute curl commands against the TrueFoundry API. This script includes safety checks such as validating the HTTP method and preventing path traversal in the API path. It also uses tfy-version.sh to check for installed tool versions using standard commands like pip show and tfy --version.
[EXTERNAL_DOWNLOADS]: The skill mentions installing the truefoundry package from the Python Package Index (PyPI) and using uv run to register accounts. These are standard operations for interacting with the TrueFoundry platform and utilize well-known, trusted registries.
[CREDENTIALS_UNSAFE]: While the skill manages highly sensitive Personal Access Tokens (PATs), it implements strict internal security policies. It explicitly instructs the agent not to repeat, store, or log token values in its responses, and provides a 'masking' policy to ensure full tokens are only displayed once upon user confirmation.
[PROMPT_INJECTION]: The skill documentation (references/container-versions.md and references/manifest-schema.md) identifies potential risks of indirect prompt injection from external sources like agent card URLs or third-party release pages. It provides proactive instructions to the agent to treat these sources as untrusted and to require user confirmation, effectively mitigating this vector.

access-tokens