← Back to Skills Marketplace
afrexai-cto

Vendor Risk Assessment

by afrexai-cto · GitHub ↗ · v1.0.1 · MIT-0
cross-platform ✓ Security Clean
157
Downloads
0
Stars
0
Active Installs
1
Versions
Install in OpenClaw
/install afrexai-vendor-risk-assessment
Description
Assess third-party vendor risk for AI and SaaS products. Evaluates security posture, data handling, compliance, financial stability, and operational resilien...
README (SKILL.md)

Vendor Risk Assessment

Evaluate any AI/SaaS vendor across 6 risk dimensions. Outputs a scored report with go/no-go recommendation.

When to Use

  • Onboarding a new SaaS or AI vendor
  • Annual vendor review cycle
  • Evaluating build-vs-buy decisions
  • Due diligence for partnerships or acquisitions
  • Compliance requirements (SOC2, ISO 27001, GDPR)

How to Use

The user provides vendor details (name, product, website, any available documentation). The agent researches and scores the vendor across 6 dimensions.

Input Format

Vendor: [Company Name]
Product: [Product/Service Name]
Website: [URL]
Use Case: [What you'd use it for]
Data Sensitivity: [low/medium/high/critical]
Additional Context: [Any docs, certifications, or concerns]

Assessment Framework

6 Risk Dimensions (each scored 1-10)

1. Security Posture

  • SOC2 Type II certification?
  • Penetration testing cadence
  • Encryption (at rest + in transit)
  • Access controls and authentication
  • Incident response plan
  • Bug bounty program

2. Data Handling & Privacy

  • Data residency and sovereignty
  • Data retention and deletion policies
  • Sub-processor transparency
  • GDPR/CCPA compliance
  • Data portability (can you get your data out?)
  • AI training opt-out policies

3. Compliance & Certifications

  • SOC2, ISO 27001, HIPAA, FedRAMP
  • Industry-specific (PCI-DSS, HITRUST, etc.)
  • AI-specific (EU AI Act readiness, NIST AI RMF)
  • Audit frequency and transparency
  • Regulatory track record

4. Financial Stability

  • Funding stage and runway
  • Revenue indicators (public or estimated)
  • Customer concentration risk
  • Acquisition risk
  • Pricing stability history

5. Operational Resilience

  • Uptime SLA and historical performance
  • Disaster recovery plan
  • Multi-region availability
  • Dependency on single cloud provider
  • Support responsiveness and escalation paths
  • Change management process

6. Contractual Terms

  • Termination and exit clauses
  • Liability caps and indemnification
  • IP ownership clarity
  • Auto-renewal traps
  • Price increase limitations
  • SLA breach remedies

Output Format

# Vendor Risk Assessment: [Vendor Name]
**Date:** YYYY-MM-DD
**Assessor:** AI Agent (AfrexAI)
**Data Sensitivity Level:** [low/medium/high/critical]

## Overall Risk Score: [X/10] — [LOW/MEDIUM/HIGH/CRITICAL]

## Dimension Scores
| Dimension | Score | Risk Level | Key Finding |
|-----------|-------|------------|-------------|
| Security Posture | X/10 | LOW/MED/HIGH | ... |
| Data Handling | X/10 | LOW/MED/HIGH | ... |
| Compliance | X/10 | LOW/MED/HIGH | ... |
| Financial Stability | X/10 | LOW/MED/HIGH | ... |
| Operational Resilience | X/10 | LOW/MED/HIGH | ... |
| Contractual Terms | X/10 | LOW/MED/HIGH | ... |

## Recommendation: [APPROVE / APPROVE WITH CONDITIONS / REJECT]

## Critical Findings
- [Finding 1]
- [Finding 2]

## Mitigation Requirements (if Approve with Conditions)
1. [Requirement 1 — deadline]
2. [Requirement 2 — deadline]

## Research Sources
- [Source 1]
- [Source 2]

Scoring Guide

  • 9-10: Excellent — minimal risk, enterprise-grade
  • 7-8: Good — acceptable for most use cases
  • 5-6: Moderate — proceed with caution, mitigations needed
  • 3-4: Poor — significant concerns, conditional approval only
  • 1-2: Critical — recommend rejection or major remediation

Overall Risk Calculation

  • Average of 6 dimensions, weighted by data sensitivity:
    • Low sensitivity: equal weights
    • Medium: Security 2x, Data 2x
    • High: Security 3x, Data 3x, Compliance 2x
    • Critical: Security 4x, Data 4x, Compliance 3x, Financial 2x

Research Process

  1. Check vendor website for security/compliance pages
  2. Search for SOC2/ISO certifications and trust pages
  3. Check status pages for uptime history
  4. Search for breach history or security incidents
  5. Review pricing page for contract terms indicators
  6. Check Crunchbase/LinkedIn for financial stability signals
  7. Search for customer reviews mentioning reliability/support

Pro Tips

  • Request the vendor's SOC2 Type II report directly — if they hesitate, that's a signal
  • Check their status page history (statuspage.io, etc.) for real uptime data
  • For AI vendors specifically: ask about model training on your data, output ownership, and hallucination liability
  • Compare their security page to competitors — vague = red flag

Need help managing vendor risk across your entire stack? AfrexAI builds autonomous AI agents that monitor vendors continuously — not just at onboarding. Visit afrexai.com or book a call: calendly.com/cbeckford-afrexai/30min

Usage Guidance
This skill appears coherent and safe as authored, but take these precautions before use: (1) Do not upload unredacted sensitive documents — redact PII/credentials before sharing. (2) Expect the agent to perform public web lookups; verify any external sources it cites. (3) Treat the risk scores as advisory — validate critical findings (e.g., SOC2 reports) by requesting primary evidence from the vendor. (4) Note the README/SKILL include promotional links to AfrexAI; that is benign but be cautious about following third-party call/book links from within an automated workflow.
Capability Assessment
Purpose & Capability
Name/description match the content: SKILL.md defines a vendor-risk scoring framework and research steps that align with assessing AI/SaaS vendors. There are no unrelated resource requests (no cloud creds, no binaries).
Instruction Scope
Instructions direct the agent to research public sources (vendor site, status pages, Crunchbase, breach history). That is expected for this purpose, but it means the agent will access external web resources and may request user-provided documents; sensitive data should be redacted before sharing.
Install Mechanism
Instruction-only skill with no install spec and no code files — nothing is written to disk and no external packages are pulled in.
Credentials
No required environment variables, no credentials, and no config paths are requested. The skill does not ask for unrelated secrets or system access.
Persistence & Privilege
always is false and the skill is user-invocable. It does not request permanent presence or modification of other skills or agent-wide settings.
How to Use
  1. Make sure OpenClaw is installed (local or Docker)
  2. Run the install command in chat: /install afrexai-vendor-risk-assessment
  3. After installation, invoke the skill by name or use /afrexai-vendor-risk-assessment
  4. Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.1
- Added detailed vendor risk assessment framework covering 6 risk dimensions: Security Posture, Data Handling & Privacy, Compliance & Certifications, Financial Stability, Operational Resilience, and Contractual Terms. - Defined when and how to use the skill, including required input and output formats. - Included a scoring methodology and weighted risk calculation based on data sensitivity. - Provided step-by-step research process and best practices for effective vendor assessment. - Outlined actionable pro tips and mitigation strategies for risk management.
Metadata
Slug afrexai-vendor-risk-assessment
Version 1.0.1
License MIT-0
All-time Installs 0
Active Installs 0
Total Versions 1
Frequently Asked Questions

What is Vendor Risk Assessment?

Assess third-party vendor risk for AI and SaaS products. Evaluates security posture, data handling, compliance, financial stability, and operational resilien... It is an AI Agent Skill for Claude Code / OpenClaw, with 157 downloads so far.

How do I install Vendor Risk Assessment?

Run "/install afrexai-vendor-risk-assessment" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is Vendor Risk Assessment free?

Yes, Vendor Risk Assessment is completely free, licensed under MIT-0. You can download, install and use it at no cost.

Which platforms does Vendor Risk Assessment support?

Vendor Risk Assessment is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created Vendor Risk Assessment?

It is built and maintained by afrexai-cto (@afrexai-cto); the current version is v1.0.1.

More Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463942 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259883 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200739 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191401 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190375 · by oswalpalash

💬 Comments