fieldtheory-cli
Pass
Audited by Gen Agent Trust Hub on May 16, 2026
Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSDATA_EXFILTRATION
Full Analysis
- [COMMAND_EXECUTION]: The skill relies on the execution of multiple shell commands via the
ftutility (e.g.,ft sync,ft search,ft classify) to manage bookmark data and interact with the local environment. - [EXTERNAL_DOWNLOADS]: The skill instructs the agent to install a package from the public npm registry (
npm install -g fieldtheory) and includes a command to install a companion macOS application (ft install app). - [DATA_EXFILTRATION]: To function without restricted API access, the tool extracts and manages sensitive session information, including browser cookies (
ct0,auth_token) and OAuth tokens. This involves local access to sensitive browser database files and credential management. - [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection through its data ingestion workflows.
- Ingestion points: Untrusted bookmark content and enriched article text fetched from X/Twitter and stored in
~/.fieldtheory/bookmarks/. - Boundary markers: The skill provides no explicit instructions or delimiters to the agent to prevent it from following commands embedded within the synced bookmark content.
- Capability inventory: The skill possesses extensive capabilities including shell command execution (
execSync), file system modification (ft library update), and network access for data syncing. - Sanitization: There is no evidence of sanitization or filtering of external content before it is processed by the agent for classification or summarization.
Audit Metadata