FastClaw AI部署工具
PassAudited by VirusTotal on May 5, 2026.
Overview
Type: OpenClaw Skill Name: fastclaw-ai-deployer Version: 1.2.0 The skill bundle is a deployment tool for 'FastClaw', a lightweight AI agent runtime. The installation script (scripts/install.sh) follows standard patterns for downloading and installing a binary from a public GitHub repository to the system path. The documentation (README.md and SKILL.md) is transparent about its functionality, including local configuration storage in ~/.fastclaw and the use of external LLM APIs. No evidence of data exfiltration, unauthorized persistence, or malicious prompt injection was found.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the upstream installer or GitHub account is compromised, the user could run untrusted installation code.
The documented install methods execute remote installer scripts from GitHub. This is expected for a deployment tool, but the commands use a mutable branch URL and do not show checksum or signature verification.
irm https://raw.githubusercontent.com/fastclaw-ai/fastclaw/main/install.ps1 | iex ... curl -fsSL https://raw.githubusercontent.com/fastclaw-ai/fastclaw/main/install.sh | bash
Prefer manual downloads from a verified release, inspect installer scripts before running them, and avoid administrator/root execution unless necessary.
The installed FastClaw binary will run locally and may handle conversations and API keys.
The included installer downloads a prebuilt executable and places it on PATH. That is central to the skill’s deployment purpose, but the binary itself is not included for review and no integrity check is shown.
DOWNLOAD_URL="https://github.com/fastclaw-ai/fastclaw/releases/download/${VERSION}/fastclaw_${ARCH}.tar.gz" ... tar -xzf ... mv "${INSTALL_DIR}/fastclaw" /usr/local/bin/fastclawInstall only from a trusted release source, verify checksums or signatures if available, and review the upstream project before running the binary.
Anyone who can read the local FastClaw configuration directory may be able to access stored provider API keys.
The runtime asks the user to configure an LLM provider API key and stores API keys locally. This is expected for multi-provider LLM use, but it is sensitive credential handling.
API Key:填入你的 OpenRouter API Key ... .fastclaw/ ├── apikeys.json # API 密钥
Use least-privilege API keys where possible, protect the ~/.fastclaw directory, and rotate keys if the machine or files are exposed.
Conversation content may be transmitted to the selected LLM provider unless the user chooses a local model such as Ollama.
The skill supports sending model requests to external or custom LLM providers. This is disclosed and purpose-aligned, but user prompts and agent context may leave the local machine depending on provider choice.
支持多种LLM提供商:OpenRouter、OpenAI、Anthropic、Ollama、自定义API
Avoid sending confidential data to third-party providers unless their privacy and retention terms are acceptable; use local models for sensitive work.
Private preferences, project details, or misleading instructions could persist across future conversations.
The provided agent template encourages persistent long-term memory updates and reuse through MEMORY.md. This is disclosed, but persistent memory can retain sensitive context or carry forward poisoned instructions.
FastClaw 使用 `MEMORY.md` 存储长期记忆。每次对话结束后,如果学到了新东西,主动更新 `MEMORY.md`。
Review MEMORY.md periodically, avoid storing secrets there, and clear or edit memory when it contains outdated or sensitive information.