fleet
Security checks across malware telemetry and agentic risk
Overview
Fleet is a powerful but clearly disclosed agent-management CLI; its sensitive actions are purpose-aligned and generally approval-gated, though users should review credentials, updates, session access, and custom adapters carefully.
Install only if you intend to let this skill manage your local agent fleet. Review ~/.fleet/config.json, use tokenEnv rather than inline tokens, keep Fleet/OpenClaw directories private, approve --yes actions only when you explicitly asked for them, and treat custom adapters and unverified updates as executable code.
VirusTotal
1/63 vendors flagged this skill as malicious, and 62/63 flagged it as clean.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If approved or misused, the skill can send tasks to agents, steer sessions, stop agents, restore backups, include secrets in backups, or install updates.
The skill exposes high-impact fleet-control actions, but the artifact explicitly gates them on current operator approval.
Run dispatch, steer, parallel, kill, restore, secret backup, or update install with --yes only after explicit operator approval in the current conversation
Only approve --yes actions you specifically requested in the current conversation; prefer dry runs and review the target agent, prompt, and config before dispatch.
A malicious or accidentally modified custom adapter could run commands with the installing user’s privileges when Fleet loads or probes adapters.
Custom adapter support intentionally loads shell scripts from a user-controlled adapter directory, which is useful for extensibility but means adapter files are executable code.
Drop a `<type>.sh` file into `~/.fleet/adapters/` or set `FLEET_ADAPTERS_DIR`. A custom adapter must define six functions
Use only trusted adapter scripts, keep ~/.fleet/adapters private, and avoid setting FLEET_ADAPTERS_DIR to shared or untrusted locations.
Installing an update changes the local Fleet code; using an unverified archive would increase supply-chain risk.
Fleet has a self-update path that downloads release artifacts from GitHub. It is explicitly gated and checksum-aware, but the user can override verification.
source: "api.github.com/repos/oguzhnatly/fleet/releases/latest" ... blocked unless a checksum is present or the operator explicitly allows an unverified archive
Use the default checksum-verified update path and avoid --allow-unverified unless you manually verify the release.
Agent tokens may grant control over local agent gateways, and inline tokens in config could be exposed if files are mishandled.
The skill can use agent gateway tokens and still supports inline token fields, but it documents tokenEnv as preferred and describes local loopback use.
Fleet prefers environment-backed tokens ... Legacy inline `token` fields are still supported for backwards compatibility ... Tokens are used only for loopback requests
Prefer tokenEnv, keep ~/.fleet/config.json mode 600, use least-privilege tokens, and run fleet audit before sharing configs or backups.
Session history may contain private prompts, outputs, or secrets, and displaying it can expose sensitive context to the current agent/session.
The skill can read persistent agent session transcripts; the default scope is limited and full-session access is confirmation-gated.
`fleet watch <agent>` reads only the fleet-named session for that agent by default. `fleet watch <agent> --all` can display full main session history ... transcripts may contain private prompts, outputs, or secrets.
Avoid putting secrets in agent chats, use watch --all only when needed, and keep OpenClaw profile/session directories private.