onboarding
Pass
Audited by Gen Agent Trust Hub on Apr 14, 2026
Risk Level: SAFE
Full Analysis
- [SAFE]: The skill is authored by TrueFoundry and directs all network communication to official vendor domains (truefoundry.com, truefoundry.cloud). This is standard behavior for an onboarding utility.
- [COMMAND_EXECUTION]: Executes shell commands to install the vendor's CLI tool and manage project configuration. These operations are limited to the user's environment and are necessary for the skill's functionality.
- [CREDENTIALS_SAFE]: Properly handles the TFY_API_KEY by advising users to store it in environment variables or .env files, and provides explicit warnings against committing these secrets to version control.
- [EXTERNAL_DOWNLOADS]: Installs the official 'truefoundry' package from PyPI, which is a well-known and trusted package registry.
- [DATA_EXPOSURE]: Includes a script (tfy-api.sh) that validates API paths for traversal attempts and implements a safe line-by-line parser for .env files to avoid execution of untrusted code.
Audit Metadata