status
Pass
Audited by Gen Agent Trust Hub on Apr 14, 2026
Risk Level: SAFE
Full Analysis
- [SAFE]: The skill manages platform authentication and connectivity using user-provided environment variables (TFY_API_KEY, TFY_BASE_URL). It explicitly warns against logging or hardcoding these tokens.
- [COMMAND_EXECUTION]: Uses a shell script (tfy-api.sh) to facilitate authenticated curl requests to the platform. The script includes a security check to prevent path traversal in API endpoints and avoids using unsafe shell commands like 'source' for environment loading.
- [EXTERNAL_DOWNLOADS]: References the 'truefoundry' Python package and official container images for model serving (vLLM, TGI). These are identified as official vendor resources and well-known industry services.
- [SAFE]: Implements a mandatory human-in-the-loop confirmation rule for workspace selection, preventing accidental or unauthorized deployments to the wrong environment.
- [SAFE]: Encourages the use of 'tfy-secret://' URI references in manifests to ensure sensitive credentials are never stored in plain text within configuration files.
Audit Metadata