← Back to Skills Marketplace
857
Downloads
0
Stars
0
Active Installs
1
Versions
Install in OpenClaw
/install arc-compliance-audit
Description
Immutable audit trail for autonomous agent operations. Log skill executions, data access, decisions, and budget changes with tamper-evident hashes. Essential...
README (SKILL.md)
Compliance Audit Trail
Immutable, tamper-evident audit logging for autonomous agents. Every action gets a hash-chained entry that can be verified for integrity.
Why This Exists
Autonomous agents make decisions, execute skills, access data, and spend money without human oversight. When something goes wrong, you need to know exactly what happened. Current agent frameworks have no standard audit trail — this fills that gap.
Commands
Log an action
python3 {baseDir}/scripts/audit.py log --action "skill_executed" --details '{"skill": "scanner", "target": "some-skill", "result": "clean"}'
Log a decision
python3 {baseDir}/scripts/audit.py log --action "decision" --details '{"choice": "deploy v2", "reason": "all tests passed", "alternatives_considered": ["rollback", "hotfix"]}'
Log data access
python3 {baseDir}/scripts/audit.py log --action "data_access" --details '{"resource": "api_key", "purpose": "moltbook_post", "accessor": "ghost_agent"}'
Log a budget change
python3 {baseDir}/scripts/audit.py log --action "budget_change" --details '{"amount": -10.00, "merchant": "namecheap", "reason": "domain purchase", "balance_after": 190.00}'
View recent entries
python3 {baseDir}/scripts/audit.py view --last 20
View entries by action type
python3 {baseDir}/scripts/audit.py view --action skill_executed
View entries in a time range
python3 {baseDir}/scripts/audit.py view --since "2026-02-15T00:00:00" --until "2026-02-16T00:00:00"
Verify audit trail integrity
python3 {baseDir}/scripts/audit.py verify
Export audit trail
python3 {baseDir}/scripts/audit.py export --format json > audit-export.json
python3 {baseDir}/scripts/audit.py export --format csv > audit-export.csv
Generate compliance summary
python3 {baseDir}/scripts/audit.py summary --period day
Entry Format
Each audit entry contains:
- timestamp — ISO 8601, UTC
- action — what happened (skill_executed, decision, data_access, budget_change, error, custom)
- agent — which agent performed the action
- details — structured JSON with action-specific data
- hash — SHA-256 hash chaining previous entry's hash + current entry (tamper-evident)
- sequence — monotonically increasing sequence number
Integrity Verification
The audit trail is hash-chained: each entry includes a SHA-256 hash of the previous entry's hash concatenated with the current entry's data. If any entry is modified or deleted, the chain breaks and verify will report the exact point of tampering.
Storage
Audit logs are stored in ~/.openclaw/audit/ as daily JSON files (audit-YYYY-MM-DD.json). This keeps individual files small while maintaining the full history.
Use Cases
- Incident response: What happened in the 5 minutes before the error?
- Budget accountability: Show every dollar spent and why
- Trust verification: Prove your agent hasn't been compromised
- Enterprise compliance: Meet audit requirements for autonomous systems
- Debugging: Trace the decision chain that led to an unexpected outcome
Usage Guidance
This skill appears to do exactly what it claims: a local, hash-chained audit logger implemented in Python. Before installing, consider: (1) logs are stored unencrypted under ~/.openclaw/audit — do not log raw secrets there unless you accept that risk; (2) the SKILL.md examples show logging sensitive items (e.g., api_key), so you should enforce redaction or sanitize 'details' at the agent layer if needed; (3) ensure file-system permissions and retention policies meet your compliance needs; (4) the script does not contact external endpoints, so network exfiltration is not present in the code, but agents could include external URLs or secrets in logged 'details' — treat audit files as sensitive data and protect them accordingly.
Capability Analysis
Type: OpenClaw Skill
Name: arc-compliance-audit
Version: 1.0.0
The skill bundle implements a legitimate audit trail with integrity verification. However, the `scripts/audit.py` script accepts a `--details` argument as a JSON string, which is then parsed using `json.loads()`. If the OpenClaw agent constructs the command to invoke this skill by directly concatenating unvalidated user input into the `--details` argument without proper shell escaping, it could lead to a shell injection vulnerability (e.g., `python3 ... --details "user_input_here"`). While the skill itself is not malicious and the `SKILL.md` provides benign examples, this design exposes a potential command injection vector if the calling agent's implementation is flawed, classifying it as a vulnerability rather than intentional malice.
Capability Assessment
Purpose & Capability
Name, description, SKILL.md examples, and the included scripts/audit.py are consistent: the tool implements local, tamper-evident audit logging and provides log/view/verify/export/summary commands. Required binary (python3) and storage under ~/.openclaw/audit are proportional to the stated purpose.
Instruction Scope
Instructions and examples explicitly include logging data_access and budget_change entries (examples show logging an api_key access). This is within the audit purpose, but it means the skill will record whatever the agent asks it to log — potentially including secrets or sensitive data — and there are no instructions to redact, encrypt, or limit what goes into 'details'.
Install Mechanism
No install spec; only a small python script is included and requires python3 on PATH. No external downloads or package installs are performed. Risk from installation is low.
Credentials
The skill requests no environment variables or external credentials, which is appropriate. Note: because logs are free-form JSON 'details', an agent could write secrets (API keys, tokens) into the audit files even though no credentials are required by the skill itself.
Persistence & Privilege
No 'always: true' flag; the skill is user-invocable and can be invoked autonomously (platform default). It only writes to its own directory (~/.openclaw/audit) and does not modify other skills or system-wide settings. Privilege level is appropriate for its function.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install arc-compliance-audit - After installation, invoke the skill by name or use
/arc-compliance-audit - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
Initial release — provides immutable, tamper-evident audit logging for autonomous agents.
- Log skill executions, data access, decisions, and budget changes with hash-chained entries.
- Includes commands to log actions, view and filter entries, verify integrity, and export data.
- Stores logs in daily JSON files under `~/.openclaw/audit/`.
- Offers compliance summaries and supports enterprise governance and incident response use cases.
Metadata
Frequently Asked Questions
What is Compliance Audit?
Immutable audit trail for autonomous agent operations. Log skill executions, data access, decisions, and budget changes with tamper-evident hashes. Essential... It is an AI Agent Skill for Claude Code / OpenClaw, with 857 downloads so far.
How do I install Compliance Audit?
Run "/install arc-compliance-audit" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Compliance Audit free?
Yes, Compliance Audit is completely free (open-source). You can download, install and use it at no cost.
Which platforms does Compliance Audit support?
Compliance Audit is cross-platform and runs anywhere OpenClaw / Claude Code is available (darwin, linux).
Who created Compliance Audit?
It is built and maintained by ArcSelf (@trypto1019); the current version is v1.0.0.
More Skills