ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Fpt Cli

v1.0.4

This skill should be used when OpenClaw needs to install, configure, inspect, or operate `fpt-cli` for Autodesk Flow Production Tracking / ShotGrid workflows...

0· 243·0 current·0 all-time
byHal@loonghao
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The SKILL.md and references clearly describe a ShotGrid / fpt-cli integration and list required FPT_* credentials and auth flows; however the registry metadata declares no required environment variables, no homepage, and an unknown source. The declared runtime needs (secrets and a specific GitHub release URL) are not reflected in the skill metadata, which is an incoherence in provenance and required capability.
Instruction Scope
The runtime instructions stay on-topic: they describe schema introspection, command discovery, limiting fields, preferring JSON output, and safe dry-run patterns. They also explicitly instruct downloading release archives from GitHub releases and performing checksum verification (discouraging pipe-to-shell). The instructions require reading environment variables with secrets (FPT_SCRIPT_KEY, FPT_PASSWORD, FPT_SESSION_TOKEN), which is expected for this connector but broadens the agent's access to sensitive data.
Install Mechanism
There is no install spec in the registry (instruction-only skill). The instruction text points to GitHub releases (https://github.com/loonghao/fpt-cli/releases) and recommends checksum verification and standard install locations—this is a low-to-moderate risk install pattern if the release source is trusted. The lack of an explicit install entry in the skill metadata and the unknown homepage/source increases uncertainty about provenance.
!
Credentials
The skill requires multiple sensitive environment variables (FPT_SCRIPT_KEY, FPT_PASSWORD, FPT_SESSION_TOKEN, etc.) in its documentation, but the registry metadata lists no required env vars or primary credential. Requiring these secrets is justifiable for a ShotGrid CLI, but the metadata omission is a mismatch that could lead to unintentionally providing secrets to an unverified skill.
Persistence & Privilege
The skill is not always-enabled, is user-invocable, and allows normal autonomous invocation (default). It does not request system-wide config changes or modify other skills. No elevated persistence or privileged flags are present.
What to consider before installing
This skill appears to be a legitimate agent-oriented wrapper for fpt-cli, but there are important mismatches you should address before installing: 1) Verify provenance — the docs reference a GitHub repo (loonghao/fpt-cli) but the skill metadata lists no homepage or source; confirm the publisher and repository are trustworthy. 2) Expect to provide sensitive FPT_* environment variables (script keys, passwords, session tokens); do not set these in a shared or untrusted agent environment. Consider testing in an isolated machine or container and use least-privilege credentials (script account with limited scope). 3) When installing, follow the docs: download release archives from the official repository and verify checksums rather than piping remote scripts. 4) Ask the skill publisher to update the registry metadata to declare the required env vars and a homepage/source URL so you can audit the binary origin. If you cannot verify the release source or do not want to expose credentials to this skill, do not install or run it.

Like a lobster shell, security has layers — review code before you run it.

latestvk97bxe58868wk9ep3edcawefy5840nty

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments