FieldFix
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: fieldfix Version: 1.0.0 The OpenClaw skill bundle for FieldFix is benign. The `scripts/fieldfix.js` script interacts solely with the `https://app.fieldfix.ai/api/v1` endpoint, consistent with its stated purpose of managing heavy equipment fleets. It securely retrieves the API key from the `FIELDFIX_API_KEY` environment variable and performs only the read/write operations described in `SKILL.md`. There is no evidence of data exfiltration, malicious execution, persistence, prompt injection attempts against the agent, or obfuscation.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A mistaken or overly autonomous agent action could add incorrect expenses, service entries, or machine-hour values.
The CLI can create expense records and update hour-meter data in the FieldFix account. This is disclosed and purpose-aligned, but it can modify business records.
case 'log-expense': ... method: 'POST' ... `/machines/${args[0]}/expenses` ... case 'update-hours': ... method: 'POST' ... `/machines/${args[0]}/hours`Confirm machine IDs, amounts, service details, and hour readings before running write commands; prefer a FieldFix API key with the minimum permissions needed.
Anyone with access to the configured API key could potentially read or change FieldFix fleet data within that key's permissions.
The skill uses a FieldFix API key from the environment to authenticate API requests. This is expected for the service, but the token grants account access according to its FieldFix permissions.
const apiKey = process.env.FIELDFIX_API_KEY; ... 'Authorization': `Bearer ${apiKey}`Use a dedicated, least-privilege FieldFix API key, avoid sharing it in chats or logs, and rotate it if it may have been exposed.