Kagi Fastgpt
ReviewAudited by ClawScan on May 1, 2026.
Overview
This skill is coherent with its stated Kagi FastGPT purpose, but users should notice that it needs a Kagi API key, sends queries to Kagi, and can build or download a local executable.
Install only if you are comfortable giving the skill access to a Kagi API key and sending your questions to Kagi. For the local executable, building from the included Go source or verifying the GitHub release checksum is safer than blindly accepting a downloaded latest-release binary.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Queries can consume the user's Kagi API balance, and the API key should be treated like a credential.
The skill reads a Kagi API key from the environment and uses it for API authorization. This is expected for a Kagi integration, but it gives the tool delegated access to the user's paid Kagi API account.
apiKey := strings.TrimSpace(os.Getenv("KAGI_API_KEY")) ... req.Header.Set("Authorization", "Bot "+apiKey)Use a dedicated Kagi API token if available, keep it out of shared logs and profiles, and monitor API balance after installation.
A downloaded executable runs with the user's local permissions, so trust depends on the GitHub release provenance.
If a local build is unavailable, the wrapper fetches the latest GitHub release binary, writes it locally, and makes it executable. It prompts before download, but the wrapper does not pin a version or perform checksum verification itself.
RELEASE_META="$(curl -fsSL "https://api.github.com/repos/joelazar/kagi-skills/releases/latest")" ... curl -fsSL "$URL" -o "$BIN" ... chmod +x "$BIN"
Prefer building from the included source, or manually verify the release checksum and repository provenance before allowing the download.
Private or sensitive query text will be transmitted to Kagi to generate the answer.
The user's query is sent to Kagi's FastGPT API, which is the stated purpose of the skill and is clearly disclosed.
const fastGPTURL = "https://kagi.com/api/v0/fastgpt" ... reqBody := fastGPTRequest{Query: query, Cache: cache, WebSearch: true}Avoid sending sensitive personal, confidential, or regulated information unless Kagi's API terms and privacy practices are acceptable for that data.