← Back to Skills Marketplace
517
Downloads
0
Stars
0
Active Installs
1
Versions
Install in OpenClaw
/install afrexai-vendor-risk
Description
Evaluate and score vendors on security, financials, compliance, operations, and data handling to classify risk and manage remediation plans effectively.
README (SKILL.md)
Vendor Risk Assessment
Score and manage third-party vendor risk across security, financial stability, compliance, operational dependency, and data handling. Built for procurement teams, CISOs, and operations leaders managing 10+ vendors.
Usage
Run this assessment for each critical vendor. Aggregate scores into a portfolio risk view.
Assessment Framework
1. Vendor Risk Scorecard (5 Domains, 0-100 each)
Security Posture (0-100)
- SOC 2 Type II current? (+20)
- Penetration test within 12 months? (+15)
- Incident response plan documented? (+15)
- Data encryption at rest and transit? (+15)
- MFA enforced for all access? (+10)
- Security questionnaire completed? (+10)
- Subprocessor list disclosed? (+15)
Financial Stability (0-100)
- Revenue trend (growing +25, flat +10, declining 0)
- Funding runway >18 months? (+20)
- Customer concentration \x3C20%? (+15)
- Public financials or audited statements? (+15)
- No material litigation? (+15)
- Credit rating acceptable? (+10)
Compliance & Regulatory (0-100)
- Industry certifications current? (+20)
- GDPR/CCPA compliant? (+20)
- Data processing agreement signed? (+15)
- Regulatory audit history clean? (+15)
- Right to audit clause? (+15)
- Data residency requirements met? (+15)
Operational Dependency (0-100)
- SLA with financial penalties? (+20)
- Uptime >99.9% trailing 12 months? (+20)
- Disaster recovery tested annually? (+15)
- Single point of failure for your business? (-20)
- Migration plan documented? (+15)
- API/export capability? (+15)
- Vendor lock-in risk assessment? (+15)
Data Handling (0-100)
- Data classification documented? (+20)
- Retention/deletion policies clear? (+20)
- Breach notification \x3C72 hours? (+20)
- Data portability guaranteed? (+15)
- AI/ML training on your data? (opt-out available +15, no opt-out -10)
- Access logging and audit trail? (+10)
2. Risk Tier Classification
| Aggregate Score | Tier | Review Cadence | Action |
|---|---|---|---|
| 400-500 | Low Risk | Annual | Standard monitoring |
| 300-399 | Moderate | Semi-annual | Remediation plan required |
| 200-299 | High Risk | Quarterly | Executive escalation, alternatives identified |
| 0-199 | Critical | Monthly | Exit plan required within 90 days |
3. Portfolio Risk View
Total vendors: ___
Critical tier: ___ (target: 0)
High risk: ___ (target: \x3C10%)
Moderate: ___ (target: \x3C30%)
Low risk: ___ (target: >60%)
Top 3 concentration risks:
1. [Vendor] — [function] — [% of operations dependent]
2. [Vendor] — [function] — [% of operations dependent]
3. [Vendor] — [function] — [% of operations dependent]
Annual vendor spend: $___
Spend on high/critical vendors: $___ (___%)
4. Cost of Vendor Failure
| Impact Area | Calculation |
|---|---|
| Revenue loss | Daily revenue × expected downtime days |
| Recovery cost | Migration estimate + emergency procurement |
| Compliance penalty | Regulatory fine range for data breach via vendor |
| Reputation damage | Customer churn rate × LTV × affected customers |
| Operational disruption | Staff idle cost × recovery period |
5. Quarterly Review Template
- Score changes since last review (flag any >10 point drops)
- New subprocessors added by vendor
- SLA performance vs target
- Security incidents or near-misses
- Contract renewal timeline and negotiation leverage
- Alternative vendor benchmarking
6. Red Flags (Immediate Action)
- Vendor acquired by competitor
- Key personnel departures (CISO, CTO)
- Downtime exceeding SLA 2+ months
- Regulatory action or investigation
- Refusal to complete security questionnaire
- Data breach affecting other customers
- Sudden pricing changes >20%
Industry-Specific Vendor Risks
| Industry | Critical Vendor Category | Specific Risk |
|---|---|---|
| Healthcare | EHR, billing, telehealth | HIPAA BAA gaps, PHI exposure |
| Financial Services | Core banking, payments, KYC | PCI DSS, regulatory reporting |
| Legal | Case management, ediscovery | Privilege breach, client data |
| SaaS | Infrastructure, auth, payments | Cascading outages, PII |
| Manufacturing | MES, supply chain, IoT | IP theft, production stoppage |
| Construction | Project management, safety | Compliance documentation gaps |
| Ecommerce | Payments, fulfillment, CDN | PCI, availability during peak |
| Recruitment | ATS, background check, payroll | Candidate PII, bias in AI screening |
| Real Estate | MLS, transaction mgmt, title | Wire fraud, closing delays |
| Professional Services | CRM, billing, document mgmt | Client confidentiality breach |
Get the Full Playbook
- AI Revenue Leak Calculator — Quantify your total automation opportunity
- Industry Context Packs — $47 each, deep-dive playbooks
- Agent Setup Wizard — Build your AI agent workforce
Usage Guidance
This skill appears coherent and safe as a playbook: it only contains assessment guidance and templates and does not request credentials or install anything. Before using, review any external links (the playbook and agent‑setup URLs) in a browser to confirm they are trustworthy and avoid pasting sensitive credentials into third‑party sites. If you plan to automate vendor assessments, sandbox any agent workflows that will handle vendor data and ensure they do not forward sensitive information to unknown endpoints.
Capability Analysis
Type: OpenClaw Skill
Name: afrexai-vendor-risk
Version: 1.0.0
The skill bundle provides a framework for vendor risk assessment, including scoring, classification, and review templates. The `SKILL.md` and `README.md` files contain only descriptive and instructional text related to this purpose, with no evidence of prompt injection attempts, malicious commands, data exfiltration, or other harmful behaviors. External links point to a GitHub Pages domain (`afrexai-cto.github.io`) for related commercial offerings, which is not inherently malicious in this context.
Capability Assessment
Purpose & Capability
The name/description (vendor risk assessment) matches the SKILL.md content: scoring rubric, portfolio view, templates, and red‑flags. There are no unexpected binaries, credentials, or system config requirements for this stated purpose.
Instruction Scope
The SKILL.md stays within the assessment domain (scoring, review templates, remediation actions). It includes external links to paid playbooks and an 'Agent Setup Wizard' URL — these are outside the skill but are only links. The skill itself does not instruct the agent to read local files, environment variables, or to transmit data to remote endpoints, but you should vet those external sites before following them.
Install Mechanism
Instruction-only skill with no install spec and no code files. This is low risk because nothing is written to disk or executed by the skill itself.
Credentials
No environment variables, credentials, or config paths are requested. The lack of secret or cloud credential requests is appropriate for a guidance/playbook skill.
Persistence & Privilege
Defaults are used (always:false, agent invocation allowed). The skill does not request permanent presence or elevated privileges and does not attempt to modify other skills or system settings.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install afrexai-vendor-risk - After installation, invoke the skill by name or use
/afrexai-vendor-risk - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
Initial release of afrexai-vendor-risk v1.0.0.
- Introduces a comprehensive vendor risk assessment framework covering security, financial stability, compliance, operational dependency, and data handling.
- Provides domain-based scoring (0-100) and aggregates to classify vendors into risk tiers with recommended review cadences.
- Includes a portfolio risk view, cost of vendor failure calculator, quarterly review template, and immediate action red flags.
- Features industry-specific risks and targeted recommendations for procurement, CISOs, and operations leaders.
- Links to additional resources such as playbooks and tools for deeper analysis.
Metadata
Frequently Asked Questions
What is Vendor Risk Assessment?
Evaluate and score vendors on security, financials, compliance, operations, and data handling to classify risk and manage remediation plans effectively. It is an AI Agent Skill for Claude Code / OpenClaw, with 517 downloads so far.
How do I install Vendor Risk Assessment?
Run "/install afrexai-vendor-risk" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Vendor Risk Assessment free?
Yes, Vendor Risk Assessment is completely free (open-source). You can download, install and use it at no cost.
Which platforms does Vendor Risk Assessment support?
Vendor Risk Assessment is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created Vendor Risk Assessment?
It is built and maintained by 1kalin (@1kalin); the current version is v1.0.0.
More Skills