V19 Agent Rating
PassAudited by ClawScan on May 4, 2026.
Overview
This documentation-only rating skill is coherent, but users should verify the external Cloudflare-tunnel API before sending any agent names or governance keys.
This skill appears safe to read as documentation. Before running its curl examples, confirm that you trust the external trycloudflare.com governance service, use only non-sensitive agent names, and do not provide a private governance key unless you understand what access it grants.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If used, an agent name is sent to an external service and may create a registration there.
This documents a remote POST that can send an agent name and perform registration. It is presented as an example, not an automatic action, but users should approve it before running.
curl -s -X POST https://boat-atlas-spa-flexible.trycloudflare.com/governance/register ... -d '{"agent_name":"你的Agent名称"}'Run the registration command only intentionally, avoid sensitive identifiers in the agent name, and verify the endpoint owner first.
A private governance key could grant access to the external service if shared or exposed.
The API examples use a governance key header even though registry metadata declares no primary credential. This is purpose-aligned for an authenticated API call, but a personal key would be delegated access.
-H "X-Governance-Key: <你的专属密钥>"
Use only a key you intend to share with that service, prefer least-privilege or test keys, and avoid pasting private keys into logs or public conversations.
Users may not be able to independently confirm who operates the remote API before sending data to it.
No authoritative source or homepage is provided for a skill that directs users to an external governance API, leaving service provenance unclear.
Source: unknown; Homepage: none
Verify the skill owner and API endpoint through a trusted channel before using the curl examples.
Users could place more trust in the rating/certification claims than the supplied artifacts alone justify.
The skill presents verification and certification language, but the provided artifacts do not include independent evidence validating those claims.
验证状态 ... ✅ 已认证 (V19-CERT-001)
Treat the certification statements as developer-provided claims unless they are independently verified.