← Back to Skills Marketplace
mailnike

AuditClaw Idp

by Nikhil Jathar · GitHub ↗ · v1.0.2
cross-platform ✓ Security Clean
570
Downloads
0
Stars
0
Active Installs
3
Versions
Install in OpenClaw
/install auditclaw-idp
Description
Identity provider compliance checks for auditclaw-grc. 8 read-only checks across Google Workspace (MFA, admin audit, inactive users, passwords) and Okta (MFA...
README (SKILL.md)

AuditClaw IDP

Companion skill for auditclaw-grc. Collects compliance evidence from Google Workspace and Okta identity providers using read-only API calls.

8 checks | Read-only API access | Evidence stored in shared GRC database

Security Model

  • Read-only access: Google Workspace uses admin.directory.user.readonly scope only. Okta uses okta.users.read, okta.factors.read, okta.policies.read scopes only. No write/modify permissions.
  • Credentials: Uses standard env vars for each provider. No credentials stored by this skill.
  • Dependencies: Google API client + requests (all pinned in requirements.txt)
  • Data flow: Check results stored as evidence in ~/.openclaw/grc/compliance.sqlite via auditclaw-grc

Prerequisites

  • Google Workspace: Service account JSON with domain-wide delegation, admin email for impersonation
  • Okta: API token (SSWS) with read-only scopes
  • pip install -r scripts/requirements.txt
  • auditclaw-grc skill installed and initialized

Environment Variables

Google Workspace (optional; skip if not configured)

  • GOOGLE_WORKSPACE_SA_KEY: Path to service account JSON file
  • GOOGLE_WORKSPACE_ADMIN_EMAIL: Super admin email to impersonate

Okta (optional; skip if not configured)

Commands

  • "Run IDP evidence sweep": Run all checks for configured providers
  • "Check Google Workspace MFA": Run Google MFA check
  • "Check Okta password policies": Run Okta password policy check
  • "Show IDP integration health": Last sync, errors, evidence count

Usage

All evidence is stored in the shared GRC database at ~/.openclaw/grc/compliance.sqlite via the auditclaw-grc skill's db_query.py script.

To run a full evidence sweep (all configured providers):

python3 scripts/idp_evidence.py --db-path ~/.openclaw/grc/compliance.sqlite --all

To run checks for a specific provider:

python3 scripts/idp_evidence.py --db-path ~/.openclaw/grc/compliance.sqlite --provider google
python3 scripts/idp_evidence.py --db-path ~/.openclaw/grc/compliance.sqlite --provider okta

To run specific checks:

python3 scripts/idp_evidence.py --db-path ~/.openclaw/grc/compliance.sqlite --checks google_mfa,okta_mfa

Check Categories (8)

Check Provider What It Verifies
google_mfa Google Workspace All active users have 2SV enrolled + enforced
google_admins Google Workspace Super admin count 2-4, all with 2SV
google_inactive Google Workspace No active users with lastLoginTime > 90 days
google_passwords Google Workspace All users have passwordStrength == "STRONG"
okta_mfa Okta All active users have at least 1 MFA factor enrolled
okta_passwords Okta Password policy: minLength>=12, history>=5, maxAttempts\x3C=5, maxAge\x3C=90
okta_inactive Okta No active users with lastLogin > 90 days
okta_sessions Okta MFA required, session lifetime \x3C= 12h, idle \x3C= 1h

Evidence Storage

Each check produces evidence items stored with:

  • source: "idp"
  • type: "automated"
  • control_id: Mapped to relevant SOC2/ISO/NIST/HIPAA controls
  • description: Human-readable finding summary
  • file_content: JSON details of the check result

Setup Guide

AuditClaw supports two identity providers. Configure one or both.

Google Workspace Setup

Step 1: Enable Admin SDK API Go to Google Cloud Console → APIs & Services → Library → Enable "Admin SDK API"

Step 2: Create Service Account IAM & Admin → Service Accounts → Create. Enable domain-wide delegation.

Step 3: Grant OAuth Scopes In Google Admin → Security → API controls → Domain-wide delegation, add the service account with:

  • https://www.googleapis.com/auth/admin.directory.user.readonly
  • https://www.googleapis.com/auth/admin.reports.audit.readonly

Step 4: Set Environment Variables

Okta Setup

Step 1: Create API Token Okta Admin → Security → API → Tokens → Create Token. Name: auditclaw-scanner

Step 2: Required Permissions The token inherits the creating admin's permissions. Needs read access to: users, factors, policies. Scopes: okta.users.read, okta.factors.read, okta.policies.read

Step 3: Set Environment Variables

  • OKTA_ORG_URL=https://mycompany.okta.com
  • OKTA_API_TOKEN=your-token-here

Verify Connection

Run: python3 {baseDir}/scripts/idp_evidence.py --test-connection

The exact permissions are documented in scripts/idp-permissions.json. Show with: python3 {baseDir}/../auditclaw-grc/scripts/db_query.py --action show-policy --provider idp

Usage Guidance
This skill appears to do what it claims: read-only audits of Google Workspace and Okta and storing results in the AuditClaw GRC database. Before installing or running it: 1) Ensure you only provide a Google service account with the minimal domain‑wide delegation scopes (and the correct admin_email) and an Okta API token created by a read-only admin; avoid giving more-privileged keys. 2) Confirm the target DB path (~/.openclaw/grc/compliance.sqlite) is the intended AuditClaw GRC database and that you trust its schema/backups, because the skill will insert rows directly if the db_query helper is absent. 3) Review the local auditclaw-grc/scripts/db_query.py on your system (if present) since the skill will invoke it via subprocess; ensure it's the legitimate script. 4) Verify file permissions for the service-account JSON and the DB so secrets and evidence are protected. These are expected operational checks, not evidence of malicious behavior.
Capability Analysis
Type: OpenClaw Skill Name: auditclaw-idp Version: 1.0.2 The skill `auditclaw-idp` is designed for identity provider compliance checks, collecting read-only data from Google Workspace and Okta APIs and storing it locally in `~/.openclaw/grc/compliance.sqlite`. All API interactions are read-only, as explicitly stated and confirmed by code analysis. Credentials are handled securely via environment variables. While the `scripts/idp_evidence.py` orchestrator uses `subprocess.run` to interact with a companion `db_query.py` script, arguments are passed as a list (mitigating shell injection) and data is JSON-encoded, indicating a legitimate inter-skill communication rather than malicious intent or a direct vulnerability within this skill. No evidence of data exfiltration, persistence, obfuscation, or prompt injection was found.
Capability Assessment
Purpose & Capability
Name/description claim read-only Google Workspace and Okta checks; code implements exactly those checks and only asks (optionally) for Google service account JSON + admin email and Okta org URL + API token. Required binary (python3) and Python dependencies match the implementation. Minor mismatch: SKILL.md mentions an extra read-only reports scope but the build function uses the directory.users readonly scope; this is an implementation detail, not a capability mismatch.
Instruction Scope
Runtime instructions and idp_evidence.py are explicit: call provider APIs, assemble findings, and store evidence in the shared GRC DB (~/.openclaw/grc/compliance.sqlite). The script tries to invoke auditclaw-grc's db_query.py (subprocess) if present, and falls back to direct SQLite INSERT into the DB. These behaviors are coherent with the documented evidence-storage model but mean the skill will read environment variables, potentially read a local service-account JSON file path, and write into the shared GRC DB — all expected for this integration.
Install Mechanism
No remote downloads or installers in the registry entry; the skill is instruction/code-only. Dependencies are standard Python packages pinned in scripts/requirements.txt (google-api-python-client, google-auth, requests). Installation via 'pip install -r scripts/requirements.txt' is documented. No high-risk external downloads or extract steps were observed.
Credentials
Requested credentials (Google SA key path + admin email; Okta org URL + API token) are proportional to the stated checks. The skill does not request unrelated secrets or broad OS-level credentials. Environment variables are optional (providers can be skipped).
Persistence & Privilege
The skill does write to a shared GRC SQLite DB and updates an 'integrations' record; it also attempts to execute a db_query.py script if available. always:false and no automatic elevation is requested. Writing into the shared DB is expected for this integration, but it does imply trust in the skill and the database path provided; the skill does not modify other skills or system configuration beyond the GRC DB.
How to Use
  1. Make sure OpenClaw is installed (local or Docker)
  2. Run the install command in chat: /install auditclaw-idp
  3. After installation, invoke the skill by name or use /auditclaw-idp
  4. Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.2
- Added homepage and source links to metadata for increased transparency. - Updated metadata to specify `pip` requirements file for installation. - Listed required and optional environment variables in metadata for clearer configuration instructions. - No functional or command changes; documentation and metadata updates only.
v1.0.1
- Removed test files: tests/conftest.py and tests/test_idp_checks.py - Test coverage for this skill has been reduced or removed in this version.
v1.0.0
Initial release of AuditClaw IDP skill—automated compliance evidence collection for Google Workspace and Okta IDPs. - Collects read-only compliance evidence from Google Workspace and Okta (8 total checks) - Stores evidence in a shared GRC SQLite database for use with auditclaw-grc - Supports user-invocable commands for full evidence sweep or specific checks - Security model: read-only API scopes; no credentials stored by the skill - Includes setup guide for Google Workspace and Okta integration via environment variables
Metadata
Slug auditclaw-idp
Version 1.0.2
License
All-time Installs 0
Active Installs 0
Total Versions 3
Frequently Asked Questions

What is AuditClaw Idp?

Identity provider compliance checks for auditclaw-grc. 8 read-only checks across Google Workspace (MFA, admin audit, inactive users, passwords) and Okta (MFA... It is an AI Agent Skill for Claude Code / OpenClaw, with 570 downloads so far.

How do I install AuditClaw Idp?

Run "/install auditclaw-idp" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is AuditClaw Idp free?

Yes, AuditClaw Idp is completely free (open-source). You can download, install and use it at no cost.

Which platforms does AuditClaw Idp support?

AuditClaw Idp is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created AuditClaw Idp?

It is built and maintained by Nikhil Jathar (@mailnike); the current version is v1.0.2.

More Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191115 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 Comments