FieldFix

Security checks across malware telemetry and agentic risk

Overview

FieldFix is a disclosed API client for managing equipment fleet records, with expected credential use and user-invoked write commands.

Install only if you intend an agent to access your FieldFix account. Use a dedicated least-privilege API key where possible, keep it out of chats and shared logs, and manually verify any action that logs expenses, service work, or hour-meter changes.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The skill advertises state-changing operations such as logging service, logging expenses, and updating hour meters without warning that these actions modify fleet records and may be difficult to reverse. In an agent setting, this raises the chance of accidental or ambiguous writes caused by misunderstood prompts, leading to corrupted maintenance history, inaccurate costs, or operational mistakes.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The setup section shows a live API key format and instructs users to export it without any guidance on secure handling. This can normalize unsafe credential practices, increasing the risk that users expose production keys through shell history, screenshots, shared terminals, logs, or accidental commits.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal