Fpt Cli
ReviewAudited by ClawScan on May 10, 2026.
Overview
This is a coherent instruction-only skill for using fpt-cli with ShotGrid, with disclosed but sensitive credential, install, and write-operation guidance.
Before installing, confirm you trust the fpt-cli release source, verify the downloaded binary when possible, and provide only the minimum ShotGrid credentials needed. For any create, update, or delete task, review the dry-run output and give explicit approval before running live changes.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If these credentials are provided, the agent may be able to access the user's ShotGrid site with the permissions of that credential.
The skill expects ShotGrid script keys, user passwords, or session tokens for authenticated account access. This is aligned with the fpt-cli purpose, but it is sensitive authority.
`FPT_SCRIPT_KEY` ... Secret key ... `FPT_PASSWORD` ... Password ... `FPT_SESSION_TOKEN` ... session token
Use the least-privileged ShotGrid credential available, prefer script credentials where appropriate, and avoid sharing broad user passwords or long-lived session tokens unless necessary.
A live command could create, change, or delete production-tracking records in ShotGrid.
The skill documents create, update, and delete operations against ShotGrid entities. It directs dry-run use first and says delete requires confirmation, so this is disclosed and purpose-aligned, but still high-impact if used on live data.
fpt entity create Version --input @payload.json --dry-run ... fpt entity update Task 42 --input @patch.json --dry-run ... fpt entity delete Playlist 99 --dry-run ... Delete requires explicit confirmation ... fpt entity delete Playlist 99 --yes
Review dry-run output before allowing real writes, confirm the site, entity type, ID, and payload, and reserve destructive commands for explicit user-approved tasks.
Installing the CLI runs code obtained from an external release source.
The skill instructs downloading and installing a GitHub release binary. It includes checksum-verification guidance and avoids pipe-to-shell installation, but the external binary is not included in the reviewed artifacts.
curl -fLO "https://github.com/loonghao/fpt-cli/releases/download/${FPT_VERSION}/${FPT_ARCHIVE}" ... sha256sum -c --ignore-missing fpt-checksums.txt ... install -m 755 ./fpt "$FPT_INSTALL_DIR/fpt"Download only from the intended upstream project, verify checksums or signatures when available, and install into a user-controlled directory rather than a privileged system path.
A self-update may change the installed fpt binary and therefore future behavior of the tool.
The skill documents a self-update command for the installed CLI. This is expected for CLI maintenance, but it can replace executable code outside the skill package.
fpt self update --check --output pretty-json fpt self update
Run update checks intentionally, review the source/version being installed, and avoid unattended self-updates in sensitive environments.