mcp-servers
Pass
Audited by Gen Agent Trust Hub on Apr 14, 2026
Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSDATA_EXFILTRATION
Full Analysis
- [SAFE]: The skill is well-documented and designed with security in mind, providing explicit instructions to the agent on how to handle credentials and external resources safely.
- [COMMAND_EXECUTION]: The skill utilizes a custom Bash script (tfy-api.sh) to interact with the TrueFoundry API. This script implements security checks, such as path traversal validation, and ensures that sensitive API keys are only transmitted via authenticated HTTP requests.
- [EXTERNAL_DOWNLOADS]: The skill documentation suggests installing the truefoundry Python package and provides instructions for wrapping MCP servers using npm packages like @anthropic-ai/mcp-proxy. These references point to legitimate vendor tools and established protocol utilities.
- [DATA_EXFILTRATION]: The skill manages sensitive API credentials through environment variables or .env files. It includes explicit instructions to the agent to prevent the logging or display of these secrets and to use the vendor's internal secret management system (tfy-secret://) for all manifest configurations.
Audit Metadata