FastAPI Production Engineering
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: afrexai-fastapi-production Version: 1.0.0 The skill bundle provides a comprehensive methodology for building, deploying, and scaling production FastAPI applications. It includes extensive code examples, best practices, and security checklists across various phases of development. There is no evidence of intentional malicious behavior, such as data exfiltration, unauthorized command execution, or persistence mechanisms. The instructions in SKILL.md and README.md are clearly aligned with the stated purpose and do not contain prompt injection attempts to subvert the agent's function. While a generic repository pattern using `getattr` in SKILL.md could introduce a vulnerability if implemented without proper input validation, the skill explicitly promotes 'Input validation on ALL endpoints' as a P1 security check, indicating an overall intent for secure development rather than malice.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent may generate or modify project files, auth patterns, Docker configuration, or CI setup when you ask it to use this skill.
The skill is designed to guide changes to application code and deployment configuration. That is consistent with its stated purpose, but those changes can affect a real service if applied without review.
`set up a new FastAPI project` — full structure + config; `add authentication` — JWT + dependency injection pattern; `prepare for production` — Dockerfile + CI + checklist
Apply it only to the intended project, review generated diffs, and validate auth, secrets, CORS, Docker, and CI settings before deploying.
Projects generated from this guidance will need sensitive application secrets such as database connection strings and JWT secrets.
The skill includes application patterns for database and JWT secrets. The guidance uses environment-based `SecretStr` fields and says not to hardcode secrets, so this appears purpose-aligned rather than suspicious.
database_url: SecretStr # Required — no default ... jwt_secret: SecretStr # Required ... model_config = {"env_file": ".env", "env_file_encoding": "utf-8"}Store real secrets in a proper secrets manager or protected environment variables, avoid committing `.env` files, and rotate any credentials accidentally exposed during development.