truefoundry-agents
Pass
Audited by Gen Agent Trust Hub on Apr 15, 2026
Risk Level: SAFE
Full Analysis
- [SAFE]: The skill manages TrueFoundry infrastructure using official API endpoints and the
tfyCLI. All external references are directed toward the vendor's own services or user-defined base URLs. - [SAFE]: Sensitive data such as
TFY_API_KEYis handled via environment variables or.envfiles, which is the standard and recommended practice for secret management in this context. - [SAFE]: The skill enforces a 'MANDATORY Workspace FQN Rule' that requires explicit user confirmation before applying any changes, preventing accidental deployments to incorrect environments.
- [SAFE]: Security warnings are prominently included in the documentation regarding the use of external URLs (e.g., for A2A agents or OpenAPI specs), correctly identifying these as potential surfaces for indirect prompt injection and advising user caution.
- [SAFE]: The shell scripts provided (
tfy-api.sh,tfy-version.sh) are transparent utility scripts for authenticated API calls and environment detection, containing no obfuscation, persistence mechanisms, or unauthorized data exfiltration logic.
Audit Metadata