Description

Generate SOC2 evidence collection checklists, automate evidence gathering scripts, and produce audit-ready evidence packages. Covers all 5 Trust Service Crit...

README (SKILL.md)

SOC2 Evidence Collector

Name: Soc2 Evidence Collector
Author: afrexai-cto

Automate evidence gathering for SOC2 Type I and Type II audits across all 5 Trust Service Criteria.

When to Use

Preparing for an upcoming SOC2 audit (Type I or Type II)
Building continuous compliance evidence pipelines
Auditor requests evidence and you need to gather it fast
Onboarding a new client who requires SOC2 compliance proof
Annual evidence refresh cycle
Gap analysis before engaging an audit firm

Input

Gather these from the user before generating:

Required

Audit type: Type I (point-in-time) or Type II (over a period, typically 3-12 months)
Trust Service Criteria in scope: Security (CC — always required), plus any of: Availability, Processing Integrity, Confidentiality, Privacy
Cloud provider(s): AWS, GCP, Azure, multi-cloud, on-prem, hybrid
Primary tech stack: languages, frameworks, CI/CD, IaC tools
Team size: engineering + ops headcount

Optional

Current compliance certifications (ISO 27001, HIPAA, PCI-DSS, etc.)
Audit firm name and timeline
Previous audit findings or gaps
Specific control frameworks already mapped (NIST 800-53, CIS, etc.)
SSO/IdP provider (Okta, Azure AD, Google Workspace, etc.)

Evidence Categories

CC — Common Criteria (Security) — Always In Scope

CC1: Control Environment

Evidence	Source	Collection Method
Org chart with security roles	HR system / Confluence	Manual export quarterly
Security policy documents	Policy repo / wiki	Git log showing annual review
Code of conduct acknowledgments	HR system	Export signed acknowledgments
Board/management meeting minutes on security	Calendar + notes	Screenshot + agenda export
Risk assessment documentation	GRC tool / spreadsheet	Export current risk register

CC2: Communication and Information

Evidence	Source	Collection Method
Security awareness training records	LMS / training platform	Completion report export
Onboarding security checklist	HR system	Template + completion logs
Incident communication procedures	Runbook / wiki	Version-controlled doc with review history
External communication policies	Policy repo	Git log + approval records

CC3: Risk Assessment

Evidence	Source	Collection Method
Annual risk assessment report	GRC tool	PDF export with sign-off
Vendor risk assessments	Vendor management tool	Export assessment records
Penetration test reports	Security vendor	PDF reports with remediation tracking
Vulnerability scan results	Scanner (Qualys, Nessus, etc.)	Automated export, monthly

CC4: Monitoring Activities

Evidence	Source	Collection Method
SIEM dashboards and alert configs	Datadog / Splunk / CloudWatch	Screenshot + config export
Uptime monitoring evidence	Pingdom / Datadog / UptimeRobot	Monthly uptime reports
Log retention configuration	Cloud provider console	Config export / IaC snippet
Anomaly detection rules	SIEM / monitoring tool	Rule export with change log

CC5: Control Activities

Evidence	Source	Collection Method
Access control matrix	IdP / IAM console	Export user-role mappings
MFA enforcement evidence	IdP admin console	Policy config screenshot
Firewall / security group rules	Cloud console / IaC	`terraform state` or console export
Encryption at rest configuration	Cloud console / IaC	Config export showing encryption enabled
Encryption in transit (TLS)	Load balancer / CDN config	Certificate + config export

CC6: Logical and Physical Access Controls

Evidence	Source	Collection Method
User access reviews (quarterly)	IdP + spreadsheet	Review meeting notes + updated access list
Terminated user deprovisioning	IdP audit log	Export showing timely deactivation
SSH key / credential rotation logs	Secrets manager	Rotation event logs
Physical access logs (if applicable)	Building management	Badge access reports

CC7: System Operations

Evidence	Source	Collection Method
Change management records	Jira / GitHub PRs	Export merged PRs with approvals
CI/CD pipeline configuration	GitHub Actions / CircleCI	Config file export from repo
Deployment approval process	PR review settings	Branch protection rule screenshots
Incident response logs	PagerDuty / Opsgenie	Incident timeline exports
Backup configuration and test results	Cloud console / IaC	Backup policy + restore test logs

CC8: Change Management

Evidence	Source	Collection Method
PR review requirements	GitHub / GitLab settings	Branch protection config
Code review evidence	GitHub PR history	Export PRs with review comments
Release notes / changelogs	Repo	CHANGELOG.md with version history
Rollback procedures	Runbook	Documented procedure with test evidence

CC9: Risk Mitigation

Evidence	Source	Collection Method
Business continuity plan	Policy repo	Document with annual review evidence
Disaster recovery test results	DR runbook	Test execution logs + results
Insurance certificates	Finance / legal	Current certificate copies
Sub-processor agreements	Legal / contract management	Signed DPAs + vendor list

A — Availability (If In Scope)

Evidence	Source	Collection Method
SLA definitions and monitoring	Product docs + monitoring	SLA doc + uptime dashboard exports
Capacity planning documentation	Architecture docs	Quarterly capacity review notes
Auto-scaling configuration	Cloud console / IaC	Config export
Incident response SLA adherence	PagerDuty / incident tracker	Response time reports
Redundancy / failover configuration	Cloud architecture	Architecture diagram + failover test logs

PI — Processing Integrity (If In Scope)

Evidence	Source	Collection Method
Data validation rules	Application code / config	Code snippets + test results
QA / testing procedures	CI/CD pipeline	Test suite config + pass/fail reports
Error handling and correction procedures	Runbook / code	Error handling docs + incident examples
Data reconciliation reports	Application logs / reports	Monthly reconciliation output

C — Confidentiality (If In Scope)

Evidence	Source	Collection Method
Data classification policy	Policy repo	Document with review history
NDA / confidentiality agreements	Legal / HR	Signed agreement copies
Data retention and disposal policy	Policy repo	Policy doc + disposal logs
DLP tool configuration	DLP tool admin	Config export + alert samples

P — Privacy (If In Scope)

Evidence	Source	Collection Method
Privacy policy (public)	Website	URL + version history
Data processing agreements	Legal	Signed DPAs
Consent management records	CMP / application	Consent log exports
Data subject request procedures	Policy repo / ticketing	Procedure doc + DSR ticket samples
Privacy impact assessments	GRC tool / docs	PIA reports for high-risk processing

Automation Scripts

When the user's stack is identified, generate shell scripts for automated evidence collection:

AWS Evidence Collection (example)

#!/bin/bash
# SOC2 Evidence Collector — AWS
# Generated by AfrexAI SOC2 Evidence Collector skill
set -euo pipefail

EVIDENCE_DIR="soc2-evidence/$(date +%Y-%m-%d)"
mkdir -p "$EVIDENCE_DIR"/{iam,network,encryption,logging,compute}

echo "=== CC5: Access Controls ==="
aws iam get-account-summary > "$EVIDENCE_DIR/iam/account-summary.json"
aws iam generate-credential-report && sleep 5
aws iam get-credential-report --output text --query Content | base64 -d > "$EVIDENCE_DIR/iam/credential-report.csv"
aws iam list-users --output json > "$EVIDENCE_DIR/iam/users.json"
aws iam list-policies --scope Local --output json > "$EVIDENCE_DIR/iam/custom-policies.json"

echo "=== CC5: Encryption at Rest ==="
aws rds describe-db-instances --query 'DBInstances[*].{ID:DBInstanceIdentifier,Encrypted:StorageEncrypted,KmsKey:KmsKeyId}' > "$EVIDENCE_DIR/encryption/rds-encryption.json"
aws s3api list-buckets --query 'Buckets[*].Name' --output text | tr '	' '\
' | while read bucket; do
  aws s3api get-bucket-encryption --bucket "$bucket" >> "$EVIDENCE_DIR/encryption/s3-encryption.json" 2>/dev/null || echo "{\"bucket\":\"$bucket\",\"encryption\":\"NONE\"}" >> "$EVIDENCE_DIR/encryption/s3-encryption.json"
done

echo "=== CC4: Logging ==="
aws cloudtrail describe-trails > "$EVIDENCE_DIR/logging/cloudtrail-config.json"
aws cloudwatch describe-alarms --state-value ALARM > "$EVIDENCE_DIR/logging/active-alarms.json"

echo "=== CC5: Network Security ==="
aws ec2 describe-security-groups > "$EVIDENCE_DIR/network/security-groups.json"
aws ec2 describe-vpcs > "$EVIDENCE_DIR/network/vpcs.json"

echo "=== CC6: MFA Status ==="
aws iam list-virtual-mfa-devices > "$EVIDENCE_DIR/iam/mfa-devices.json"

echo "Evidence collected in $EVIDENCE_DIR"
echo "Review and redact sensitive values before sharing with auditors."

GitHub Evidence Collection (example)

#!/bin/bash
# SOC2 Evidence Collector — GitHub
set -euo pipefail

ORG="${1:?Usage: $0 \x3Cgithub-org>}"
EVIDENCE_DIR="soc2-evidence/$(date +%Y-%m-%d)/github"
mkdir -p "$EVIDENCE_DIR"

echo "=== CC8: Branch Protection ==="
gh api "/orgs/$ORG/repos" --paginate --jq '.[].name' | while read repo; do
  gh api "/repos/$ORG/$repo/branches/main/protection" 2>/dev/null > "$EVIDENCE_DIR/${repo}-branch-protection.json" || true
done

echo "=== CC7: Recent Deployments ==="
gh api "/orgs/$ORG/repos" --paginate --jq '.[].name' | head -10 | while read repo; do
  gh api "/repos/$ORG/$repo/deployments?per_page=10" > "$EVIDENCE_DIR/${repo}-deployments.json" 2>/dev/null || true
done

echo "=== CC8: PR Review Evidence ==="
gh api "/orgs/$ORG/repos" --paginate --jq '.[].name' | head -10 | while read repo; do
  gh pr list --repo "$ORG/$repo" --state merged --limit 20 --json number,title,mergedAt,reviewDecision > "$EVIDENCE_DIR/${repo}-merged-prs.json" 2>/dev/null || true
done

echo "=== CC5: Org Security Settings ==="
gh api "/orgs/$ORG" --jq '{two_factor_requirement: .two_factor_requirement_enabled, default_permissions: .default_repository_permission}' > "$EVIDENCE_DIR/org-security.json"

echo "Evidence collected in $EVIDENCE_DIR"

Output Format

Generate a structured evidence package:

soc2-evidence/
├── README.md                    # Overview, scope, period, auditor info
├── evidence-matrix.md           # Full checklist with status (collected/pending/N-A)
├── collection-scripts/
│   ├── collect-aws.sh
│   ├── collect-github.sh
│   ├── collect-idp.sh
│   └── collect-monitoring.sh
├── gap-analysis.md              # Missing evidence + remediation steps
└── schedule.md                  # Evidence collection calendar (what to refresh when)

evidence-matrix.md Format

| # | Control | Evidence | Status | Source | Last Collected | Notes |
|---|---------|----------|--------|--------|---------------|-------|
| CC1.1 | Org chart | org-chart-2026-Q1.pdf | ✅ Collected | HR export | 2026-01-15 | |
| CC5.3 | MFA enforcement | mfa-config.json | ✅ Automated | IdP API | 2026-03-17 | Script: collect-idp.sh |
| CC3.2 | Pen test report | — | ⏳ Pending | External vendor | — | Due 2026-04-01 |

Workflow

Gather inputs (audit type, scope, stack, team size)
Generate the full evidence matrix for in-scope criteria
Mark known evidence sources based on their stack
Generate collection scripts for automated gathering
Identify gaps and generate remediation recommendations
Create an evidence collection schedule (daily/weekly/monthly/quarterly)
Output the complete evidence package

Tips for Users

Start 3-6 months before audit: evidence gaps take time to fill
Automate early: scripts that run monthly save panic before audit
Version everything: auditors love seeing change history
Don't fake it: missing evidence is better than fabricated evidence
Continuous > point-in-time: Type II requires sustained evidence over the audit period
Tag evidence: use consistent naming so auditors can self-serve

AfrexAI Note

This skill generates the framework and automation scaffolding. For hands-on SOC2 audit preparation with managed AI agents handling continuous evidence collection, monitoring, and auditor coordination — that's what AfrexAI's AI-as-a-Service delivers. Contact us at [email protected].

Usage Guidance

This skill can legitimately help prepare SOC2 evidence, but proceed with caution: - Ask the agent (before providing anything) exactly how it will collect credentials and where it will store or transmit collected evidence. Do not paste sensitive credentials into chat unless you understand and trust the destination. - Prefer issuing temporary, least-privilege, read-only API tokens (for AWS/GCP/Azure, GitHub, and your IdP) and set short expirations. Never supply root or full-admin credentials. - Require the agent to produce scripts first and review them manually before execution. Run any generated scripts in an isolated environment (sandbox or dedicated machine) and inspect network activity if possible. - Confirm the skill will not upload evidence packages to external endpoints you do not control; ask for explicit filenames/paths and retention policies. - If you plan to allow autonomous agent invocation, restrict that until you’ve tested the workflow manually; consider disabling autonomous runs for this skill. Given the skill is instruction-only and the package contains no code, the absence of scan findings is not a guarantee of safety — verify credential handling and review outputs before using in production.

Capability Analysis

Type: OpenClaw Skill Name: afrexai-soc2-evidence-collector Version: 1.0.0 The skill bundle provides a framework and automation scripts for SOC2 evidence collection. The included Bash scripts for AWS and GitHub (found in SKILL.md) use standard CLI tools to perform read-only discovery of security configurations and save them to a local directory for audit purposes. No evidence of data exfiltration, malicious execution, or prompt injection was found; the behavior is entirely consistent with the stated purpose of compliance auditing.

Capability Assessment

ℹ Purpose & Capability

The name/description match the content: the skill aims to produce evidence checklists and automated collection scripts for cloud, GitHub, and IdP platforms. That capability is coherent with the stated purpose. However, generating runnable collection scripts for multiple platforms inherently requires credentials, API tokens or console access that are not described in the metadata (no required env vars or config paths). The absence of any declared credential requirements is a notable omission but could be explained if the agent always asks interactively for credentials or instructs the user to run scripts locally.

⚠ Instruction Scope

The SKILL.md instructs the agent to generate scripts and instructions to export logs, IAM mappings, terraform state, console configs, HR exports, calendar screenshots, and other sensitive artifacts across cloud providers and IdPs. Those instructions imply collection of highly sensitive data (credentials, logs, PII). The document does not explicitly constrain what the agent may ask for or where collected evidence may be sent; it also does not require explicit user approval steps before creating or transmitting evidence. This open scope increases the risk the agent might request or assemble sensitive artifacts in ways the user didn't expect.

✓ Install Mechanism

This is an instruction-only skill with no install spec and no bundled code — low disk footprint and no remote install URLs. That minimizes supply-chain risk from the package itself.

⚠ Credentials

The skill will need access to cloud consoles, IdPs, GitHub, HR systems, and possibly on-prem systems to collect evidence, but the registry metadata declares no required environment variables, credentials, or config paths. That mismatch means the skill either expects interactive credential entry, will produce scripts that require credentials, or will instruct the user to run commands themselves — the SKILL.md does not make the handling, scoping (read-only vs. admin), or lifetime (temporary vs. permanent) of secrets explicit. Requesting broad access to many services without specifying least-privilege guidance is disproportionate.

✓ Persistence & Privilege

The skill is not marked always:true and does not request any system-level persistence. It is user-invocable and allows model invocation (normal default). There is no evidence in the package of attempts to modify other skills or system-wide agent settings.

Version History

v1.0.0

Initial release of SOC2 Evidence Collector by AfrexAI. - Generate comprehensive SOC2 evidence collection checklists for all 5 Trust Service Criteria (Security, Availability, Processing Integrity, Confidentiality, Privacy). - Automate evidence gathering scripts and workflows tailored for SOC2 Type I and Type II audits. - Produce audit-ready evidence packages to streamline compliance processes. - Includes detailed guidance on required inputs, evidence categories, and recommended collection methods. - Useful for audit preparations, continuous compliance, and evidence automation.

Metadata

Slug afrexai-soc2-evidence-collector

Version 1.0.0

License MIT-0

All-time Installs 1

Active Installs 1

Total Versions 1

Frequently Asked Questions

What is Soc2 Evidence Collector?

Generate SOC2 evidence collection checklists, automate evidence gathering scripts, and produce audit-ready evidence packages. Covers all 5 Trust Service Crit... It is an AI Agent Skill for Claude Code / OpenClaw, with 225 downloads so far.

How do I install Soc2 Evidence Collector?

Run "/install afrexai-soc2-evidence-collector" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is Soc2 Evidence Collector free?

Yes, Soc2 Evidence Collector is completely free, licensed under MIT-0. You can download, install and use it at no cost.

Which platforms does Soc2 Evidence Collector support?

Soc2 Evidence Collector is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created Soc2 Evidence Collector?

It is built and maintained by afrexai-cto (@afrexai-cto); the current version is v1.0.0.

More Skills

Soc2 Evidence Collector