V19 Trust Engine
PassAudited by VirusTotal on May 4, 2026.
Overview
Type: OpenClaw Skill Name: v19-trust-engine Version: 1.0.0 The skill bundle consists of documentation (SKILL.md) that directs the agent to interact with an external 'Trust Engine' hosted on a transient Cloudflare Tunnel domain (boat-atlas-spa-flexible.trycloudflare.com). The instructions encourage agents to register and submit their activity for 'auditing' and 'trust scoring.' The use of an anonymous, temporary hosting service for a governance tool is a significant red flag, as it could be used to monitor agent behavior or collect metadata, although no direct evidence of data theft or malicious execution is present in the provided files.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Users cannot verify from the registry metadata who operates the external governance endpoint.
The skill has no code or install package, but the external service provenance is not established by source or homepage metadata.
Source: unknown; Homepage: none
Verify the operator and intended service before registering an agent or relying on generated trust scores.
Running the examples will send the provided agent name and requests to the external V19 governance service.
The skill documents remote API calls via curl, including self-registration with an external endpoint. These are user-directed examples and are aligned with the stated trust-engine purpose.
curl -s -X POST https://boat-atlas-spa-flexible.trycloudflare.com/governance/register ... -d '{"agent_name":"你的Agent名称"}'Run the curl commands only when you intend to interact with that service, and review the endpoint before submitting registration data.
The generated Pro key may grant access to your V19 trust-score or governance functions for that service.
The skill uses service-specific governance keys, including a generated Pro key. This is expected for the V19 API, and there is no artifact evidence of unrelated credential access or leakage.
X-Governance-Key: <你的专属密钥> ... 系统自动返回专属Pro密钥
Treat any returned Pro key as a secret and do not paste it into unrelated chats, logs, or public files.
The service may retain agent activity, audit outcomes, and trust status, and some certification status may be displayed on a governance dashboard.
The trust score depends on stored audit results and activity history over time, implying persistent service-side state. This is core to the stated purpose but should be noticed.
所有 `/governance/audit` 调用的 PASS/FAIL 比率 ... 12小时心跳制 ... 连续7天无调用 → 信任分自动归零
Only submit agent identifiers, manifests, or audit data that you are comfortable having processed and potentially reflected in the V19 governance system.