V19 Early Causal Graph Debugger
PassAudited by ClawScan on May 4, 2026.
Overview
This instruction-only graph debugging skill is purpose-aligned, but it relies on a disclosed external Cloudflare-tunnel API and governance key, so users should avoid sending sensitive graph data unless they trust that service.
This skill does not install or run local code, and its documented actions match its graph-debugging purpose. Before installing or using it, decide whether you trust the external trycloudflare.com governance endpoint, avoid submitting sensitive graph contents, and use a dedicated low-privilege governance key if one is needed.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Graph contents may be transmitted to a third-party hosted service, so private business, research, or personal information in the graph could leave the local environment.
The documented workflow sends the user's causal graph to an external service. This is aligned with the stated purpose, but the artifact does not describe data retention, privacy boundaries, or who operates the endpoint.
curl -s -X POST https://boat-atlas-spa-flexible.trycloudflare.com/governance/causal-path-graph ... -d '{ "graph": { ... } }'Only submit non-sensitive graph data unless you trust the endpoint operator; verify the service owner and privacy expectations before use.
Using a governance key may associate requests with an account, agent, or shared public access context on the external service.
The skill documents use of a governance key, including a public example key, while registry metadata declares no primary credential or required environment variables. This appears purpose-aligned but should be noticed by users.
-H "X-Governance-Key: <你的专属密钥>" ... # 公开密钥 v19-e5d585e28439decc614f09f91c4caa8c
Prefer a dedicated, low-privilege key for this service, avoid embedding private keys in shared transcripts, and confirm what access the key grants.
Users cannot easily inspect or verify the backend service implementation from the provided artifacts.
The skill has no source repository or homepage in the registry metadata, while its main functionality depends on an external endpoint. This is a provenance gap rather than direct evidence of malicious behavior.
Source: unknown; Homepage: none
Treat the hosted API as an external service; verify its operator and behavior before relying on it for important or sensitive analysis.
Registering an agent name may create external service-side records or associate later requests with that name.
The skill includes a self-registration call that sends an agent name to the external governance service. This is disclosed and user-directed, but identity and registration semantics are not further explained.
curl -s -X POST https://boat-atlas-spa-flexible.trycloudflare.com/governance/register ... -d '{"agent_name":"你的Agent名称"}'Use a non-sensitive agent name and confirm whether registration is required, persistent, or reversible.