← Back to Skills Marketplace
msaad00

agent-bom compliance

by Agent Bom · GitHub ↗ · v0.82.3 · MIT-0
darwinlinuxwindows ✓ Security Clean
826
Downloads
0
Stars
2
Active Installs
36
Versions
Install in OpenClaw
/install agent-bom-compliance
Description
AI compliance and policy engine — evaluate scan results against OWASP, NIST, SOC 2, ISO 27001, CMMC, EU AI Act, AISVS v1.0, and related frameworks. Generate...
README (SKILL.md)

agent-bom-compliance — AI Compliance & Policy Engine

Evaluate AI infrastructure scan results against 14 security and regulatory frameworks. Enforce policy-as-code rules. Generate SBOMs in standard formats. Run AISVS v1.0 and CIS benchmark checks.

Install

pipx install agent-bom
agent-bom agents -f compliance-export  # run agents scan with compliance export
agent-bom generate-sbom                # generate CycloneDX SBOM

When to Use

  • "compliance report" / "run compliance"
  • "NIST" / "NIST AI RMF" / "NIST CSF" / "NIST 800-53"
  • "SOC 2" / "SOC2"
  • "ISO 27001"
  • "OWASP" / "OWASP LLM Top 10" / "OWASP Agentic Top 10"
  • "EU AI Act"
  • "AISVS" / "AI Security Verification Standard"
  • "CMMC" / "FedRAMP"
  • "generate SBOM" / "CycloneDX" / "SPDX"
  • "policy check" / "policy enforcement"

Tools (5)

Tool Description
compliance OWASP LLM/Agentic Top 10, EU AI Act, MITRE ATLAS, NIST AI RMF
policy_check Evaluate results against custom security policy (17 conditions)
cis_benchmark Run CIS benchmark checks against cloud accounts
generate_sbom Generate SBOM (CycloneDX or SPDX format)
aisvs_benchmark OWASP AISVS v1.0 compliance — 9 AI security checks

Supported Frameworks (14)

  • OWASP LLM Top 10 (2025) — prompt injection, supply chain, data leakage
  • OWASP MCP Top 10 — MCP-specific security risks
  • OWASP Agentic Top 10 — tool poisoning, rug pulls, credential theft
  • OWASP AISVS v1.0 — AI Security Verification Standard (9 checks)
  • MITRE ATLAS — adversarial ML threat framework
  • NIST AI RMF — govern, map, measure, manage lifecycle
  • NIST CSF 2.0 — identify, protect, detect, respond, recover
  • NIST 800-53 Rev 5 — federal security controls (CM-8, RA-5, SI-2, SR-3)
  • FedRAMP Moderate — derived from NIST 800-53 controls
  • EU AI Act — risk classification, transparency, SBOM requirements
  • ISO 27001:2022 — information security controls (Annex A)
  • SOC 2 — Trust Services Criteria
  • CIS Controls v8 — implementation groups IG1/IG2/IG3
  • CMMC 2.0 — cybersecurity maturity model (Level 1-3)

Examples

# Run compliance check against multiple frameworks
compliance(frameworks=["owasp_llm", "eu_ai_act", "nist_ai_rmf"])

# Enforce custom policy
policy_check(policy={"max_critical": 0, "max_high": 5})

# Generate SBOM
generate_sbom(format="cyclonedx")

# Run AISVS v1.0 compliance
aisvs_benchmark()

# Run AWS CIS benchmark
cis_benchmark(provider="aws")

Privacy & Data Handling

OWASP, NIST, EU AI Act, MITRE ATLAS, AISVS, SBOM generation, and policy checks run entirely locally on scan data already in memory. No network calls, no credentials needed for these features.

CIS benchmark checks (optional, user-initiated) call cloud provider APIs using your locally configured credentials. These are read-only API calls to AWS, Azure, GCP, or Snowflake. You must explicitly run cis_benchmark(provider=...) and confirm before any cloud API calls are made.

Verification

  • Source: github.com/msaad00/agent-bom (Apache-2.0)
  • 7,100+ tests with CodeQL + OpenSSF Scorecard
  • No telemetry: Zero tracking, zero analytics
Usage Guidance
This skill appears coherent for local compliance checks and SBOM generation. Before installing: (1) review the upstream GitHub repo and the PyPI/ghcr.io package contents to ensure they match the project you expect; (2) install/run in an isolated environment (VM or container) first; (3) only provide cloud credentials if you explicitly run CIS benchmark checks, and give those credentials least privilege access (read-only, limited scope); (4) confirm the 'agent-bom agents' command's scope so it doesn't scan agent/platform infrastructure you don't intend to expose. Also note the minor metadata mismatch: SKILL.md requires Python 3.11+ but the registry entry lists no required binaries — ensure your runtime meets that requirement.
Capability Analysis
Type: OpenClaw Skill Name: agent-bom-compliance Version: 0.82.3 The agent-bom-compliance skill is a security and compliance engine designed to evaluate infrastructure against frameworks like OWASP, NIST, and ISO 27001. While it requests access to sensitive cloud credentials (AWS, Azure, GCP, Snowflake) for CIS benchmark checks, the SKILL.md documentation clearly justifies this for local, read-only API calls to standard provider endpoints. No evidence of malicious intent, data exfiltration, or prompt injection was found.
Capability Assessment
Purpose & Capability
The skill describes an AI/compliance engine and SBOM generation and only lists optional cloud credentials for CIS checks — this is coherent. One minor inconsistency: SKILL.md requires Python 3.11+ and shows pipx/pip/docker install options, but the registry metadata lists no required binaries; the runtime requirement for Python is legitimate but not reflected in the top-level 'required binaries' field.
Instruction Scope
The SKILL.md contains concrete CLI usage (pipx install, agent-bom commands) and limits file reads to user-provided SBOMs and policy files. It does not instruct the agent to scan unrelated local files or to exfiltrate data. CIS checks are explicitly optional and described as using local cloud credentials.
Install Mechanism
This is an instruction-only skill (no install spec or code bundled). The project recommends installing from PyPI (pip/pipx) or using the GHCR Docker image — these are normal distribution channels. Because there is no packaged install in the skill bundle, the actual installation (pipx/pip/docker) would fetch code at install time; verify the upstream PyPI package or container image before installing.
Credentials
No required credentials are declared; a reasonable set of optional environment variables (AWS/Azure/GCP/Snowflake) are listed for optional CIS benchmark checks. These optional secrets are proportional to the described cloud checks. The skill claims to perform other framework checks (OWASP/NIST/EU AI Act) locally without credentials.
Persistence & Privilege
The skill does not request persistent presence (always: false), declares no telemetry or persistence, and marks autonomous invocation as restricted. Nothing in the README suggests it modifies other skills or system-wide agent settings.
How to Use
  1. Make sure OpenClaw is installed (local or Docker)
  2. Run the install command in chat: /install agent-bom-compliance
  3. After installation, invoke the skill by name or use /agent-bom-compliance
  4. Provide required inputs per the skill's parameter spec and get structured output
Version History
v0.82.3
Release v0.82.3
v0.82.2
Release v0.82.2
v0.81.3
Release v0.81.3
v0.81.1
Release v0.81.1
v0.81.0
Release v0.81.0
v0.80.1
Release v0.80.1
v0.78.1
Release v0.78.1
v0.76.4
Release v0.76.4
v0.76.2
Release v0.76.2
v0.76.1
Release v0.76.1
v0.76.0
Release v0.76.0
v0.75.15
Release v0.75.15
v0.75.14
Release v0.75.14
v0.75.13
Release v0.75.13
v0.75.11
Release v0.75.11
v0.75.10
Release v0.75.10
v0.75.9
Release v0.75.9
v0.75.8
Release v0.75.8
v0.75.7
Release v0.75.7
v0.75.6
Release v0.75.6
Metadata
Slug agent-bom-compliance
Version 0.82.3
License MIT-0
All-time Installs 2
Active Installs 2
Total Versions 36
Frequently Asked Questions

What is agent-bom compliance?

AI compliance and policy engine — evaluate scan results against OWASP, NIST, SOC 2, ISO 27001, CMMC, EU AI Act, AISVS v1.0, and related frameworks. Generate... It is an AI Agent Skill for Claude Code / OpenClaw, with 826 downloads so far.

How do I install agent-bom compliance?

Run "/install agent-bom-compliance" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is agent-bom compliance free?

Yes, agent-bom compliance is completely free, licensed under MIT-0. You can download, install and use it at no cost.

Which platforms does agent-bom compliance support?

agent-bom compliance is cross-platform and runs anywhere OpenClaw / Claude Code is available (darwin, linux, windows).

Who created agent-bom compliance?

It is built and maintained by Agent Bom (@msaad00); the current version is v0.82.3.

More Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463815 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259802 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200680 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191345 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190333 · by oswalpalash

💬 Comments