← Back to Skills Marketplace
anmolnagpal

Compliance Analyzer

by Anmol Nagpal · GitHub ↗ · v1.0.0
cross-platform ✓ Security Clean
324
Downloads
0
Stars
0
Active Installs
1
Versions
Install in OpenClaw
/install compliance-analyzer
Description
Map AWS environment against CIS, SOC 2, HIPAA, or PCI-DSS controls with prioritized remediation
README (SKILL.md)

AWS Compliance Gap Analyzer

You are an AWS compliance expert covering CIS, SOC 2, HIPAA, and PCI-DSS frameworks.

This skill is instruction-only. It does not execute any AWS CLI commands or access your AWS account directly. You provide the data; Claude analyzes it.

Required Inputs

Ask the user to provide one or more of the following (the more provided, the better the analysis):

  1. AWS Config compliance snapshot — rules and their compliance status 
    aws configservice describe-compliance-by-config-rule --output json > config-compliance.json
  2. Security Hub findings export — consolidated security findings (ACTIVE state) 
    aws securityhub get-findings \
  --filters '{"RecordState":[{"Value":"ACTIVE","Comparison":"EQUALS"}]}' \
  --output json > securityhub-findings.json
  3. AWS Config resource configuration — for specific resource types 
    aws configservice select-resource-config \
  --expression "SELECT * WHERE resourceType = 'AWS::IAM::Policy'" \
  --output json

Minimum required IAM permissions to run the CLI commands above (read-only):

{
  "Version": "2012-10-17",
  "Statement": [{
    "Effect": "Allow",
    "Action": ["config:Describe*", "config:Get*", "config:Select*", "securityhub:GetFindings", "iam:GetPolicy", "iam:ListPolicies"],
    "Resource": "*"
  }]
}

If the user cannot provide any data, ask them to describe: your cloud environment (services, regions, accounts) and which compliance framework you're targeting (CIS, SOC 2, HIPAA, PCI-DSS).

Supported Frameworks

  • CIS AWS Foundations Benchmark v2.0: 4 sections, 58 controls
  • SOC 2 Type II: Security, Availability, Confidentiality trust principles
  • HIPAA: Administrative, Physical, Technical Safeguards
  • PCI-DSS v4.0: 12 requirements for cardholder data environments

Steps

  1. Parse AWS Config / Security Hub findings or account configuration data
  2. Map each finding to the requested compliance framework controls
  3. Generate Pass/Fail per control with evidence
  4. Prioritize gaps by risk level and remediation effort
  5. Write remediation runbooks per gap

Output Format

  • Compliance Score: % pass per domain
  • Control Status Table: control ID, description, status, evidence, remediation effort
  • Gap Priority Matrix: Critical gaps / Quick Wins / Long-Term Projects
  • Remediation Runbooks: step-by-step fix with AWS CLI commands per gap
  • Evidence Narrative: auditor-ready explanation per control
  • AWS Config Rules: automations to continuously monitor each control

Rules

  • Always cite the specific control ID (e.g. CIS 1.14, PCI 8.3.6)
  • Separate "Fail" from "Cannot determine" — missing data ≠ passing
  • Write remediation steps as executable commands, not vague guidance
  • Estimate remediation hours per gap for project planning
  • Never ask for credentials, access keys, or secret keys — only exported data or CLI/console output
  • If user pastes raw data, confirm no credentials are included before processing
Usage Guidance
This skill is internally coherent: it analyzes AWS CLI/Service exports you supply and does not ask for credentials. Before installing or using it: (1) Run the suggested AWS CLI commands yourself with the minimal read-only IAM policy and review the outputs — do not share AWS access keys or secret values. (2) Redact or remove any secrets, access keys, long-lived tokens, or unnecessary PII from outputs before pasting them into the skill. (3) Limit exported data to the resources/regions/accounts needed for the assessment to reduce exposure. (4) Treat remediation runbooks as guidance: verify and test CLI commands in a safe environment (non-production) before executing. (5) Note the skill’s source/homepage is unknown — there is no code to audit, so avoid sending full audit logs or broad exports you would not share with a third party.
Capability Analysis
Type: OpenClaw Skill Name: compliance-analyzer Version: 1.0.0 The skill is designed as an 'instruction-only' analyzer of user-provided AWS compliance data. It explicitly states that it 'does not execute any AWS CLI commands or access your AWS account directly' and instructs the agent to 'Never ask for credentials, access keys, or secret keys.' While 'bash' is listed as a tool, its use is constrained to displaying example commands for the user and generating remediation steps as executable commands in the output, not for agent-initiated execution. There is no evidence of prompt injection for malicious purposes, data exfiltration, or unauthorized execution.
Capability Assessment
Purpose & Capability
The name/description (AWS compliance mapping) matches the runtime instructions: it asks users to supply AWS Config / Security Hub / resource configuration exports and maps findings to compliance controls. There are no unrelated required binaries, environment variables, or config paths listed. Header items like 'tools: claude, bash' are incidental but do not contradict the stated purpose.
Instruction Scope
The SKILL.md is instruction-only and instructs the agent to ask the user to provide CLI output files (exact aws cli commands are given) and to never request credentials. This is appropriate for an analysis skill, but it relies on the user pasting potentially sensitive exports. The header's 'bash' tool could be ambiguous in some runtimes (it suggests shell capability) but the skill explicitly states it will not execute AWS CLI itself; still, confirm the agent runtime will not execute commands on your behalf.
Install Mechanism
No install spec and no code files — lowest-risk pattern for a skill (instruction-only). Nothing is downloaded or written to disk by the skill itself.
Credentials
The skill requests no environment variables or credentials. It provides a minimal, read-only IAM policy for the user to run the suggested CLI commands locally. However, user-provided exports may contain sensitive identifiers or secrets if they inadvertently include them, so the requirement 'user provides exported data' carries data-exfiltration risk if the user pastes unredacted outputs.
Persistence & Privilege
always is false, the skill does not request persistent privileges or system-wide config changes. It does not attempt to modify other skills or agent-wide settings.
How to Use
  1. Make sure OpenClaw is installed (local or Docker)
  2. Run the install command in chat: /install compliance-analyzer
  3. After installation, invoke the skill by name or use /compliance-analyzer
  4. Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
aws-compliance-analyzer v1.0.0 - Initial release of AWS compliance mapping tool for CIS, SOC 2, HIPAA, and PCI-DSS frameworks. - Provides step-by-step instructions for users to export necessary AWS data (Config, Security Hub) for analysis. - Delivers prioritized remediation guidance, compliance score, evidence narratives, and auditor-ready reports. - Never requests sensitive credentials; works only with exported, user-provided data. - Includes detailed output structure: control mapping, gap analysis, remediation runbooks, and project planning estimates.
Metadata
Slug compliance-analyzer
Version 1.0.0
License
All-time Installs 0
Active Installs 0
Total Versions 1
Frequently Asked Questions

What is Compliance Analyzer?

Map AWS environment against CIS, SOC 2, HIPAA, or PCI-DSS controls with prioritized remediation. It is an AI Agent Skill for Claude Code / OpenClaw, with 324 downloads so far.

How do I install Compliance Analyzer?

Run "/install compliance-analyzer" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is Compliance Analyzer free?

Yes, Compliance Analyzer is completely free (open-source). You can download, install and use it at no cost.

Which platforms does Compliance Analyzer support?

Compliance Analyzer is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created Compliance Analyzer?

It is built and maintained by Anmol Nagpal (@anmolnagpal); the current version is v1.0.0.

More Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191115 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 Comments