FieldFix
PassAudited by ClawScan on May 10, 2026.
Overview
FieldFix appears to be a coherent FieldFix API client, but it uses your FieldFix API key and can change fleet service, expense, and hour-meter records.
Use this skill only if you trust FieldFix and intend your agent to access that account. Set the API key as an environment variable, use the least-privileged key available, and manually verify any request that logs expenses, service work, or hour-meter updates.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A mistaken or overly autonomous agent action could add incorrect expenses, service entries, or machine-hour values.
The CLI can create expense records and update hour-meter data in the FieldFix account. This is disclosed and purpose-aligned, but it can modify business records.
case 'log-expense': ... method: 'POST' ... `/machines/${args[0]}/expenses` ... case 'update-hours': ... method: 'POST' ... `/machines/${args[0]}/hours`Confirm machine IDs, amounts, service details, and hour readings before running write commands; prefer a FieldFix API key with the minimum permissions needed.
Anyone with access to the configured API key could potentially read or change FieldFix fleet data within that key's permissions.
The skill uses a FieldFix API key from the environment to authenticate API requests. This is expected for the service, but the token grants account access according to its FieldFix permissions.
const apiKey = process.env.FIELDFIX_API_KEY; ... 'Authorization': `Bearer ${apiKey}`Use a dedicated, least-privilege FieldFix API key, avoid sharing it in chats or logs, and rotate it if it may have been exposed.