V19 Governance Protocol Spec
ReviewAudited by ClawScan on May 10, 2026.
Overview
This is mostly a documentation-only governance spec, but it deserves review because it advertises public credential/identity recovery by agent name and broad external audit/notification data flows.
Install only if you intend to interact with this Agent Community governance service. Treat the trycloudflare.com API as an external service, avoid submitting secrets or private workflow context, inspect any referenced conformance script before running it, and be cautious about registering identities because the documented key recovery path appears weakly scoped.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If a user registers an agent with this service, the governance identity or key may be recoverable by someone who knows or guesses the agent name, potentially exposing protected governance logs or account actions.
The spec says a forgotten Pro key/identity can be recovered through a public endpoint using only the registered agent name, and it does not describe additional verification.
`/governance/recover` | Agent 忘记密钥时通过名字找回身份 | ✅ ... Agent 忘记 Pro 密钥时可通过注册名找回身份
Use non-sensitive agent names, do not treat the Pro key as strongly protected unless the provider documents stronger recovery checks, and avoid submitting sensitive data until recovery controls are clarified.
Information submitted for audit may persist in an external audit chain and may be reused for trust scoring or later review.
The protocol stores persistent audit evidence including decision context, actions, and evidence sources. This is aligned with a governance/audit service, but it can include sensitive operational context.
任何决策都由V89审计链提供完整证据链,包含决策上下文、核心动作、证据来源和审计结论
Submit only information you are comfortable having stored externally, and confirm retention/deletion and data-minimization policies before integrating real workflows.
Appeal or feedback content may be visible to developers or third-party notification infrastructure.
The skill discloses that appeal and high-priority feedback information is monitored and pushed through a Feishu bot to a developer channel.
`ops_monitor.py` 每 30 分钟自动巡检新申诉和高优反馈,通过飞书机器人推送告警到开发者通道
Do not include secrets, private user data, or confidential business details in appeal or feedback submissions unless that sharing is acceptable.
Running the referenced script would execute code outside the reviewed artifact set.
The spec tells users they can run a conformance test suite script, but this reviewed package is instruction-only and does not include that script for inspection.
python3 V19_Conformance_Test_Suite.py
Inspect and obtain the conformance suite from a trusted source before running it, and avoid executing unreviewed scripts in sensitive environments.