FastClaw AI部署工具
PassAudited by ClawScan on May 5, 2026.
Overview
The skill is coherent as a FastClaw deployment guide, but users should review the external installer, API key storage, and persistent memory behavior before using it.
This skill does not show artifact-backed malicious behavior. Before installing or following its setup commands, verify the FastClaw GitHub source, avoid piping remote scripts into a shell unless you trust and inspect them, protect API keys stored under ~/.fastclaw, and review persistent MEMORY.md contents regularly.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the upstream installer or GitHub account is compromised, the user could run untrusted installation code.
The documented install methods execute remote installer scripts from GitHub. This is expected for a deployment tool, but the commands use a mutable branch URL and do not show checksum or signature verification.
irm https://raw.githubusercontent.com/fastclaw-ai/fastclaw/main/install.ps1 | iex ... curl -fsSL https://raw.githubusercontent.com/fastclaw-ai/fastclaw/main/install.sh | bash
Prefer manual downloads from a verified release, inspect installer scripts before running them, and avoid administrator/root execution unless necessary.
The installed FastClaw binary will run locally and may handle conversations and API keys.
The included installer downloads a prebuilt executable and places it on PATH. That is central to the skill’s deployment purpose, but the binary itself is not included for review and no integrity check is shown.
DOWNLOAD_URL="https://github.com/fastclaw-ai/fastclaw/releases/download/${VERSION}/fastclaw_${ARCH}.tar.gz" ... tar -xzf ... mv "${INSTALL_DIR}/fastclaw" /usr/local/bin/fastclawInstall only from a trusted release source, verify checksums or signatures if available, and review the upstream project before running the binary.
Anyone who can read the local FastClaw configuration directory may be able to access stored provider API keys.
The runtime asks the user to configure an LLM provider API key and stores API keys locally. This is expected for multi-provider LLM use, but it is sensitive credential handling.
API Key:填入你的 OpenRouter API Key ... .fastclaw/ ├── apikeys.json # API 密钥
Use least-privilege API keys where possible, protect the ~/.fastclaw directory, and rotate keys if the machine or files are exposed.
Conversation content may be transmitted to the selected LLM provider unless the user chooses a local model such as Ollama.
The skill supports sending model requests to external or custom LLM providers. This is disclosed and purpose-aligned, but user prompts and agent context may leave the local machine depending on provider choice.
支持多种LLM提供商:OpenRouter、OpenAI、Anthropic、Ollama、自定义API
Avoid sending confidential data to third-party providers unless their privacy and retention terms are acceptable; use local models for sensitive work.
Private preferences, project details, or misleading instructions could persist across future conversations.
The provided agent template encourages persistent long-term memory updates and reuse through MEMORY.md. This is disclosed, but persistent memory can retain sensitive context or carry forward poisoned instructions.
FastClaw 使用 `MEMORY.md` 存储长期记忆。每次对话结束后,如果学到了新东西,主动更新 `MEMORY.md`。
Review MEMORY.md periodically, avoid storing secrets there, and clear or edit memory when it contains outdated or sensitive information.