Fpt Cli

Name: Fpt Cli
Author: loonghao

功能描述

This skill should be used when OpenClaw needs to install, configure, inspect, or operate `fpt-cli` for Autodesk Flow Production Tracking / ShotGrid workflows...

使用说明 (SKILL.md)

Purpose

Provide a stable, agent-optimized workflow for using fpt-cli from OpenClaw.

This skill follows the Agent DX principles from "You Need to Rewrite Your CLI for AI Agents":

optimize for predictability over discoverability
keep context window usage low (fetch only what you need)
enforce deep defense against hallucinated inputs
use schema introspection at runtime instead of relying on pre-trained knowledge

Keep the agent behavior aligned with the repository contract:

prefer explicit CLI commands over ad-hoc API calls
prefer JSON output for machine consumption
prefer capability discovery before composing new command invocations
prefer safe write previews before real mutations

When to use

Use this skill when any of the following is needed:

install or update fpt-cli
configure ShotGrid / FPT authentication for OpenClaw
inspect which commands the CLI already exposes
query schema or entities through the CLI
run complex searches with filter_dsl, structured search, or additional_filter_presets
perform write operations with --dry-run first

Workflow

1. Choose the execution mode

Determine whether the task should use a released binary or a source checkout.

For released binary installation or update, read references/install-and-auth.md and prefer release archives plus checksum verification over pipe-to-shell installers.
For repository-local development, prefer vx cargo run -p fpt-cli -- ... and vx just ....

2. Prefer environment-based authentication

Load credentials through environment variables instead of putting secrets directly on the command line. Never trigger browser-based OAuth flows in headless environments.

Preferred variables:

Variable	Required	Auth modes	Description
`FPT_SITE`	required	all	Full URL of the ShotGrid / FPT site, e.g. `https://example.shotgrid.autodesk.com`
`FPT_AUTH_MODE`	required	all	Auth strategy: `script`, `user_password`, or `session_token`
`FPT_SCRIPT_NAME`	required	`script`	Name of the API script credential registered in ShotGrid
`FPT_SCRIPT_KEY`	required	`script`	Secret key for the script credential; quote the value when it contains special characters
`FPT_USERNAME`	required	`user_password`	ShotGrid user login (usually an email address)
`FPT_PASSWORD`	required	`user_password`	Password for the ShotGrid user account
`FPT_AUTH_TOKEN`	optional	`user_password`	One-time 2FA token; only needed when the site enforces two-factor authentication
`FPT_SESSION_TOKEN`	required	`session_token`	A pre-obtained ShotGrid session token; use when script or password credentials are unavailable
`FPT_API_VERSION`	optional	all	Override the ShotGrid REST API version, e.g. `v1.1`; defaults to the CLI built-in value when omitted

Allow SG_* variables only as compatibility fallback when FPT_* is not available.

3. Schema introspection — do not guess

Do not rely on pre-trained knowledge to determine command signatures or entity/field names. Pre-trained knowledge goes stale. Guessing causes syntax errors and hallucinates parameters.

Pattern: fetch command list first, then fetch only the contracts you need.

# Step 1: get all command names (cheap — no full payload)
fpt inspect list --output json

# Step 2: fetch contract for specific commands you will actually use
fpt inspect command entity.find --output json
fpt inspect command entity.batch.count --output json

# Step 3: verify entity and field names before composing queries
fpt schema entities --output json
fpt schema fields Shot --output json

Using inspect list before inspect command keeps context window usage low. Using capabilities returns the full payload for all commands — use it only when you need an overview.

4. Choose the narrowest useful command

Prefer the smallest command that satisfies the task.

Use entity.get when the entity id is known.
Use entity.find-one when only one match is needed.
Use entity.find when multiple matches or collection metadata are needed.
Use entity.batch.* when repeating the same operation over many inputs.
Use entity.batch.count when counting records across multiple entity types — do not call entity.count once per type.
Use schema.entities and schema.fields before guessing entity or field names.

5. Context window discipline

Large API responses can consume significant context window and degrade reasoning.

Always limit the fields you request:

# Good: request only the fields you need
fpt entity get Shot 123 --fields code,sg_status_list --output json

# Good: use fields param in find input
fpt entity find Shot --input '{"fields": ["code", "sg_status_list"]}' --output json

# Good: batch count across multiple types in one call
fpt entity batch count --input '["Shot","Asset","Task"]' --output json

Do not request all fields when you only need a few. Use entity.batch.* commands instead of looping single-entity calls.

6. Prefer structured JSON output

Default to --output json unless a human explicitly needs a different view.

This keeps OpenClaw orchestration stable and lowers prompt/token overhead.

7. Apply input hardening invariants

The CLI validates inputs against hallucination patterns. These checks cannot be bypassed:

Entity type names must not contain ? or # — do not embed query parameters in entity names. Wrong: entity get "Shot?fields=code" 123 Right: entity get Shot 123 --fields code
Entity type names must not contain control characters (below ASCII 0x20).
Do not pre-encode URLs — the CLI handles percent-encoding automatically. Sending %2e%2e instead of .. will cause double-encoding failures.
Resource IDs are numeric — never embed filter expressions or query parameters in an ID argument.

The CLI operates in a zero-trust model: all inputs are validated as if they came from an untrusted source.

8. Prefer native search features for complex queries

For non-trivial filters:

prefer structured search JSON when building native _search payloads
use additional_filter_presets for "latest"-style workflows
use --filter-dsl for concise human-authored boolean logic

Read references/query-patterns.md for examples.

9. Apply write safety rules

For writes:

run --dry-run first when supported — treat dry-run output as the request-plan contract
review the dry-run plan to confirm there are no hallucinated parameters before executing
require explicit confirmation before real deletes (--yes)

# Always preview before mutating
fpt entity create Version --input @payload.json --dry-run --output json
# Then execute only after reviewing the plan
fpt entity create Version --input @payload.json --output json

10. Debug in a contract-first order

When something fails:

validate auth with auth test
inspect the command contract with inspect command \x3Cname>
confirm entity and field names via schema commands
reduce the command to the smallest JSON-shaped reproduction
only then expand to batch or write workflows

References

references/install-and-auth.md
references/query-patterns.md

安全使用建议

This skill appears to be a legitimate agent-oriented wrapper for fpt-cli, but there are important mismatches you should address before installing: 1) Verify provenance — the docs reference a GitHub repo (loonghao/fpt-cli) but the skill metadata lists no homepage or source; confirm the publisher and repository are trustworthy. 2) Expect to provide sensitive FPT_* environment variables (script keys, passwords, session tokens); do not set these in a shared or untrusted agent environment. Consider testing in an isolated machine or container and use least-privilege credentials (script account with limited scope). 3) When installing, follow the docs: download release archives from the official repository and verify checksums rather than piping remote scripts. 4) Ask the skill publisher to update the registry metadata to declare the required env vars and a homepage/source URL so you can audit the binary origin. If you cannot verify the release source or do not want to expose credentials to this skill, do not install or run it.

功能分析

Type: OpenClaw Skill Name: fpt-cli Version: 1.0.4 The fpt-cli skill is a well-structured wrapper for the Autodesk Flow Production Tracking (ShotGrid) CLI. It demonstrates strong security practices, including instructions for checksum verification during installation (referencing github.com/loonghao/fpt-cli), mandatory dry-runs for write operations, and strict environment-variable-based credential management to avoid leaking secrets in command history. The SKILL.md and documentation (install-and-auth.md, query-patterns.md) focus on reducing AI hallucinations and enforcing input validation, with no evidence of malicious intent or data exfiltration.

能力评估

⚠ Purpose & Capability

The SKILL.md and references clearly describe a ShotGrid / fpt-cli integration and list required FPT_* credentials and auth flows; however the registry metadata declares no required environment variables, no homepage, and an unknown source. The declared runtime needs (secrets and a specific GitHub release URL) are not reflected in the skill metadata, which is an incoherence in provenance and required capability.

ℹ Instruction Scope

The runtime instructions stay on-topic: they describe schema introspection, command discovery, limiting fields, preferring JSON output, and safe dry-run patterns. They also explicitly instruct downloading release archives from GitHub releases and performing checksum verification (discouraging pipe-to-shell). The instructions require reading environment variables with secrets (FPT_SCRIPT_KEY, FPT_PASSWORD, FPT_SESSION_TOKEN), which is expected for this connector but broadens the agent's access to sensitive data.

ℹ Install Mechanism

There is no install spec in the registry (instruction-only skill). The instruction text points to GitHub releases (https://github.com/loonghao/fpt-cli/releases) and recommends checksum verification and standard install locations—this is a low-to-moderate risk install pattern if the release source is trusted. The lack of an explicit install entry in the skill metadata and the unknown homepage/source increases uncertainty about provenance.

⚠ Credentials

The skill requires multiple sensitive environment variables (FPT_SCRIPT_KEY, FPT_PASSWORD, FPT_SESSION_TOKEN, etc.) in its documentation, but the registry metadata lists no required env vars or primary credential. Requiring these secrets is justifiable for a ShotGrid CLI, but the metadata omission is a mismatch that could lead to unintentionally providing secrets to an unverified skill.

✓ Persistence & Privilege

The skill is not always-enabled, is user-invocable, and allows normal autonomous invocation (default). It does not request system-wide config changes or modify other skills. No elevated persistence or privileged flags are present.

版本历史

v1.0.4

**Expanded agent safety and AI-compatibility guidance for fpt-cli usage** - Updated workflow to follow Agent Developer Experience (Agent DX) principles, emphasizing predictability, schema introspection, and defense against hallucinated inputs. - Added strict input hardening rules, including entity/field name validation and prohibition of control characters or query syntax in arguments. - Expanded guidance on schema introspection: agents must never guess command signatures or parameters, but should always fetch and verify contracts at runtime. - Introduced best practices to limit API response size, preventing excessive context window usage when operating in agent-driven workflows. - Clarified safe mutation patterns: always require dry-run and explicit confirmation before writes. - Enforced headless-auth constraints: never prompt for browser-based flows, always rely on environment variable credentials. - Rewrote and reorganized documentation for concise, unambiguous instruction to agents and human operators.

v1.0.3

- Expanded environment variable documentation for authentication in SKILL.md, including a detailed table of variable requirements and descriptions. - No changes to core logic or repository contract—documentation improvement only.

v1.0.2

- Documentation updated: The "references/install-and-auth.md" file was modified. - No logic, workflow, or behavioral changes—this is a documentation-only update.

v1.0.1

- Explicitly prefer release archives and checksum verification over pipe-to-shell installers for binary installation. - Minor workflow clarification in installation step for increased security. - No breaking changes; workflow and usage remain consistent.

v1.0.0

Initial release with contract-guided workflows for fpt-cli: - Supports install, configuration, and inspection of fpt-cli for Autodesk Flow Production Tracking / ShotGrid tasks. - Prioritizes explicit CLI usage, structured JSON output, and contract discovery before automation. - Enforces best practices for authentication, command selection, safe write previews, and complex entity queries. - Includes structured steps for debugging, capability discovery, and safe operation. - Provides detailed usage guidance via skill documentation and reference files.

元数据

Slug fpt-cli

版本 1.0.4

许可证 MIT-0

累计安装 0

当前安装数 0

历史版本数 5

常见问题

Fpt Cli 是什么？

This skill should be used when OpenClaw needs to install, configure, inspect, or operate `fpt-cli` for Autodesk Flow Production Tracking / ShotGrid workflows... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件，目前累计下载 342 次。

如何安装 Fpt Cli？

在 OpenClaw 或 Claude Code 对话框中运行命令「/install fpt-cli」即可一键安装，无需额外配置。

Fpt Cli 是免费的吗？

是的，Fpt Cli 完全免费，采用 MIT-0 许可证，可自由下载、安装和使用。

Fpt Cli 支持哪些平台？

Fpt Cli 跨平台运行，可在任意部署了 OpenClaw / Claude Code 的环境中使用（cross-platform）。

谁开发了 Fpt Cli？

由 Hal（@loonghao）开发并维护，当前版本 v1.0.4。