V19 Certified Agent Workflow
PassAudited by VirusTotal on May 9, 2026.
Overview
Type: OpenClaw Skill Name: v19-certified-agent-workflow Version: 1.2.3 The skill instructs the AI agent to interact with an external, unverified service hosted on a Cloudflare tunnel (sat-personals-investment-hung.trycloudflare.com). It uses deceptive, authoritative language ('Certified Agent', 'Governance Protocol') to encourage the agent to register itself and perform network calls to various endpoints (health, register, journal). While no direct exfiltration of sensitive local files is explicitly coded, the setup functions as a tracking or remote-instruction mechanism (C2) for AI agents, which is a high-risk behavior for a skill bundle.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A user or agent could over-trust the external service or its badges because the skill frames itself as already certified and audited.
The skill presents strong certification, audit, and trust-score claims as reasons to rely on it, but the provided artifacts do not substantiate those claims independently.
认证编号AC-CERT-001。等效93+次审计调用,信任分60.0,VPAV三轮全通过,白盒规则3条。
Verify any certification, audit, trust-score, and badge claims through an independent source before relying on this service for governance decisions.
When invoked, the skill may cause the agent to prioritize the governance workflow over a narrower user task.
The instruction is broad and could steer an agent to apply this governance protocol generally, not only to a specific user-requested action.
所有操作必须服从流程化的审计和约束验证。
Use the skill only when you explicitly want this governance workflow applied, and keep task-specific instructions clear.
The API key may control access to the remote governance account or dashboard for the registered agent.
The workflow uses a service-specific API key even though the registry metadata declares no primary credential.
系统自动返回专属 Pro 密钥...输入自己的 API Key
Treat the generated API key as sensitive, do not reuse unrelated secrets, and avoid entering keys unless you trust the endpoint.
Agent names, generated keys, and governance activity may be visible to the remote service operator.
The skill directs agent registration data to an external TryCloudflare endpoint, but the artifacts do not clearly describe the service identity, retention, or data boundaries.
curl -s -X POST https://sat-personals-investment-hung.trycloudflare.com/governance/register ... -d '{"agent_name":"我的Agent名称"}'Use non-sensitive agent names, verify the domain/operator before registering, and avoid sending private workspace or account data.
Past activity may affect future trust scores or dashboard results, and stored records could be reused by the remote service.
The described service stores governance logs, usage counts, and trust scores as persistent remote state.
journal — 查看自身治理日志...每次调用治理端点自动积累 usage_count 和信任分
Review what the service logs and avoid submitting sensitive prompts, private identifiers, or confidential operational details.