critical
suspicious.env_credential_access
- Location
- scripts/fieldfix.js:22
- Finding
- Environment variable access combined with network send.
FieldFix
AdvisoryAudited by Static analysis on May 10, 2026.
Overview
Detected: suspicious.env_credential_access
Findings (1)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
What this means
A mistaken or overly autonomous agent action could add incorrect expenses, service entries, or machine-hour values.
Why it was flagged
The CLI can create expense records and update hour-meter data in the FieldFix account. This is disclosed and purpose-aligned, but it can modify business records.
Skill content
case 'log-expense': ... method: 'POST' ... `/machines/${args[0]}/expenses` ... case 'update-hours': ... method: 'POST' ... `/machines/${args[0]}/hours`Recommendation
Confirm machine IDs, amounts, service details, and hour readings before running write commands; prefer a FieldFix API key with the minimum permissions needed.
What this means
Anyone with access to the configured API key could potentially read or change FieldFix fleet data within that key's permissions.
Why it was flagged
The skill uses a FieldFix API key from the environment to authenticate API requests. This is expected for the service, but the token grants account access according to its FieldFix permissions.
Skill content
const apiKey = process.env.FIELDFIX_API_KEY; ... 'Authorization': `Bearer ${apiKey}`Recommendation
Use a dedicated, least-privilege FieldFix API key, avoid sharing it in chats or logs, and rotate it if it may have been exposed.