V19 Sparse Policy Auditor
ReviewAudited by ClawScan on May 4, 2026.
Overview
This instruction-only audit skill is coherent, but it asks users to send agent-audit information to an external governance service using a governance key.
Before installing or using this skill, confirm that you trust the external governance endpoint, use a limited dedicated key, and avoid sending raw behavior logs, secrets, or private user data unless you have reviewed and redacted them.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A private governance key could authenticate submissions as your agent or account if copied into unsafe places.
The workflow uses a governance key and self-registration with the external service. This is expected for the integration, but it creates an identity/authorization boundary users should notice.
-H "X-Governance-Key: <你的专属密钥>" ... 公开密钥: `v19-e5d585e28439decc614f09f91c4caa8c` ... /governance/register
Use a dedicated, rotatable key; do not paste private keys into shared logs or prompts; and confirm what permissions the key grants before use.
Sensitive or misleading log details could be preserved in audit summaries and influence future policy decisions.
The skill intends to derive governance records from agent call logs and reuse those records as source material for future policy clauses. That is purpose-aligned, but inaccurate, poisoned, or sensitive log content could be carried into later governance decisions.
扫描调用日志,识别"做多"和"做少" ... 每次审计生成结构化记录,可直接作为ETHIC宪法候选条款的源数据
Review and redact logs before auditing, and require human approval before converting audit output into persistent policy or constitutional rules.
Agent names, behavior evidence, and audit context may leave your environment and be stored or processed by an external service.
The example sends audit context and evidence to an external Cloudflare-hosted governance endpoint. This is disclosed and aligned with the skill purpose, but the artifacts do not describe retention, ownership, or data-minimization boundaries for submitted audit data.
curl -s -X POST https://boat-atlas-spa-flexible.trycloudflare.com/governance/audit ... -H "X-Governance-Key: <你的专属密钥>" ... "evidence": "审计Agent是否遵守最小必要行为集"
Verify the service owner and privacy terms, submit only the minimum necessary evidence, and avoid sending secrets, raw logs, or private user data.