← Back to Skills Marketplace
mailnike

AuditClaw GRC

by Nikhil Jathar · GitHub ↗ · v1.0.2
darwinlinux ✓ Security Clean
623
Downloads
0
Stars
0
Active Installs
6
Versions
Install in OpenClaw
/install auditclaw-grc
Description
AI-native GRC (Governance, Risk, and Compliance) for OpenClaw. 97 actions across 13 frameworks including SOC 2, ISO 27001, HIPAA, GDPR, NIST CSF, PCI DSS, CI...
README (SKILL.md)

AuditClaw GRC

AI-native GRC assistant for OpenClaw. Manages compliance frameworks, controls, evidence, risks, policies, vendors, incidents, assets, training, vulnerabilities, access reviews, and questionnaires.

97 actions | 30 tables | 13 frameworks | 990+ controls

Security Model

  • Database: SQLite at ~/.openclaw/grc/compliance.sqlite with WAL mode, owner-only permissions (0o600)
  • Credentials: Stored in ~/.openclaw/grc/credentials/ with per-provider directories, owner-only permissions (0o700 dirs, 0o600 files), atomic writes, and secure deletion (overwrite with random bytes before removal). Secrets are never logged or exposed in output. See scripts/credential_store.py for implementation.
  • Trust center: Generates a local HTML file only. Nothing is published externally. The user decides where to host it.
  • Dependencies: requests==2.31.0 (pinned) for HTTP header scanning. Cloud integrations optionally use boto3 (AWS) and PyJWT (Azure) via try/except -- these are not required and only activate if installed and credentials are configured.
  • Scans: All security scans (headers, SSL, GDPR) run locally against user-specified URLs only.
  • No telemetry: No data is sent to external endpoints. All operations are local or to user-configured cloud accounts only.

Optional Environment Variables (for cloud integrations)

These are not required for core GRC functionality. They are only used when the user explicitly sets up cloud provider integrations via companion skills:

Variable Used by
AWS_ACCESS_KEY_ID / AWS_SECRET_ACCESS_KEY AWS integration (via auditclaw-aws)
GITHUB_TOKEN GitHub integration (via auditclaw-github)
AZURE_SUBSCRIPTION_ID / AZURE_CLIENT_ID / AZURE_CLIENT_SECRET / AZURE_TENANT_ID Azure integration (via auditclaw-azure)
GCP_PROJECT_ID / GOOGLE_APPLICATION_CREDENTIALS GCP integration (via auditclaw-gcp)
GOOGLE_WORKSPACE_SA_KEY / GOOGLE_WORKSPACE_ADMIN_EMAIL Google Workspace (via auditclaw-idp)
OKTA_ORG_URL / OKTA_API_TOKEN Okta (via auditclaw-idp)

Setup

python3 {baseDir}/scripts/init_db.py
pip install -r {baseDir}/scripts/requirements.txt

Database: ~/.openclaw/grc/compliance.sqlite

Voice and Formatting

  • Present data as formatted summaries, not raw JSON
  • Keep messages under 4096 chars. Show top 5-10 rows, offer "Want the full list?"
  • Emoji: ✅ complete, ⚠️ at-risk, 🔴 critical, 📊 scores, 📋 reports, 🔒 security
  • Include context: "23/43 controls complete (53%)" not just "23"
  • After each action, suggest the next logical step

Activation Triggers

Activate on: compliance, GRC, SOC 2, ISO 27001, HIPAA, GDPR, NIST, PCI DSS, CIS, CMMC, HITRUST, CCPA, FedRAMP, ISO 42001, SOX, ITGC, controls, evidence, risks, audit, gap analysis, security posture, compliance score, framework, security scan.

Database Operations

All queries go through: python3 {baseDir}/scripts/db_query.py --action \x3Caction> [args]

Output is JSON. Parse and present as human-readable summaries. For full action reference with all arguments: {baseDir}/references/db-actions.md

Core Actions

Action Purpose
status Overall compliance overview
activate-framework --slug soc2 Load framework controls
gap-analysis --framework soc2 Gaps with priority and effort
score-history --framework soc2 Score trend over time
list-controls --framework soc2 --status in_progress Filtered controls
update-control --id 5 --status complete Update control (also batch: --id 1,2,3)
add-evidence --title "..." --control-ids 1,2,3 Record evidence
add-risk --title "..." --likelihood 3 --impact 4 Log a risk
add-vendor --name "..." --criticality high Register vendor
add-incident --title "..." --severity critical Log incident
generate-report --framework soc2 HTML compliance report
generate-dashboard Dashboard summary + Canvas HTML
export-evidence --framework soc2 ZIP package for auditors
list-companions Show installed companion skills

Additional Action Categories

  • Policies: add, version, submit approval, review, require acknowledgment
  • Training: add modules, assign, track completion, list overdue
  • Vulnerabilities: add with CVE/CVSS, track remediation
  • Access Reviews: create campaigns, add items, approve/revoke
  • Questionnaires: create templates, send to vendors, record answers, score
  • Incidents: add actions (timeline), post-incident reviews, summary with MTTR
  • Assets: register with classification, lifecycle, encryption/backup/patch status
  • Alerts: add, list, acknowledge, resolve
  • Integrations: add provider, test connection, setup guide, show policy

Framework Activation

Run: python3 {baseDir}/scripts/db_query.py --action activate-framework --slug \x3Cslug>

Framework Slug Controls
SOC 2 Type II soc2 43
ISO 27001:2022 iso27001 114
HIPAA Security Rule hipaa 29
GDPR gdpr 25
NIST CSF nist-csf 31
PCI DSS v4.0 pci-dss 30
CIS Controls v8 cis-controls 153
CMMC 2.0 cmmc 113
HITRUST CSF v11 hitrust 152
CCPA/CPRA ccpa 28
FedRAMP Moderate fedramp 282
ISO 42001:2023 iso42001 40
SOX ITGC sox-itgc 50

Framework reference docs: {baseDir}/references/frameworks/

Compliance Score

Run: python3 {baseDir}/scripts/compliance_score.py [--framework \x3Cslug>] [--store]

Returns score (0-100), health distribution, trend, and drift detection. Use --store to save for tracking. Methodology: {baseDir}/references/scoring-methodology.md

Security Scanning

  • Headers: python3 {baseDir}/scripts/check_headers.py --url \x3Curl> (CSP, HSTS, X-Frame-Options, etc.)
  • SSL/TLS: python3 {baseDir}/scripts/check_ssl.py --domain \x3Cdomain> (cert validity, chain, cipher)
  • GDPR: Browser-based cookie consent check (requires Chromium)

After scans, offer to save results as evidence.

Reports and Exports

  • Report: python3 {baseDir}/scripts/generate_report.py --framework \x3Cslug> --format html
  • Trust center: python3 {baseDir}/scripts/generate_trust_center.py [--org-name "Acme Corp"] (local HTML only)
  • Evidence export: python3 {baseDir}/scripts/export_evidence.py --framework \x3Cslug>

Interactive Flows

First-Time Setup

When user asks to set up compliance: initialize DB silently, present framework options with control counts and use cases, offer gap analysis after activation.

Smart Defaults

  • Evidence type: infer from context (manual/automated/integration)
  • Risk assessment: suggest likelihood/impact with reasoning, confirm before saving
  • Bulk operations: list exactly what will change, confirm, report summary

Proactive Suggestions

After framework activation -> offer gap analysis and cloud integration setup. After marking controls complete -> offer score recalculation. After scanning -> offer to save as evidence. After scoring (\x3C 30%) -> prioritize critical controls. (>= 90%) -> offer audit report.

Slash Commands

Command Action
/grc-score Quick compliance score
/grc-gaps Priority gaps
/grc-scan Security scan menu
/grc-report Generate report
/grc-risks Risk register
/grc-incidents Active incidents
/grc-trust Generate trust center

Scheduled Alerts (Cron)

Register via OpenClaw cron tool:

  • Evidence expiry: daily 7 AM
  • Score recalc: every 6 hours
  • Weekly digest: Monday 8 AM

Always include "Using auditclaw-grc skill" in cron messages for routing.

Companion Skills

Optional add-ons for automated cloud evidence collection. Evidence flows into the shared GRC database.

Skill Checks Setup
auditclaw-aws 15 AWS checks (S3, IAM, CloudTrail, VPC, etc.) aws configure with read-only IAM policy
auditclaw-github 9 GitHub checks (branch protection, secrets, 2FA, etc.) GITHUB_TOKEN env var
auditclaw-azure 12 Azure checks (storage, NSG, Key Vault, etc.) Service principal with Reader + Security Reader
auditclaw-gcp 12 GCP checks (storage, firewall, IAM, etc.) GOOGLE_APPLICATION_CREDENTIALS with Viewer + Security Reviewer
auditclaw-idp 8 identity checks (Google Workspace + Okta) SA key + admin email / Okta API token

Install: clawhub install auditclaw-\x3Cprovider>

If a user asks to connect a cloud provider, check list-companions first. If not installed, guide them to install it.

Integration Setup

Say "setup aws", "setup github", etc. to get step-by-step guides with exact permissions. Use "test aws connection" to verify before running scans.

Reference Files

  • {baseDir}/references/db-actions.md - Full action reference with all arguments
  • {baseDir}/references/schema.md - Database schema
  • {baseDir}/references/scoring-methodology.md - Scoring algorithm
  • {baseDir}/references/commands/ - Detailed command guides
  • {baseDir}/references/frameworks/ - Framework reference docs
  • {baseDir}/references/integrations/ - Cloud integration guides
Usage Guidance
This package appears coherent for a local GRC tool, but you should take a few precautions before installing: 1) Review the credential_store.py and auth_provider.py files to confirm how secrets are encrypted, saved, and deleted (the code claims owner-only perms and secure deletion—verify those behaviors). 2) Run the skill in a development or isolated account/machine (or container) first, especially before supplying any cloud credentials. 3) When enabling cloud integrations, prefer roles or short-lived credentials (IAM AssumeRole, service account impersonation) rather than long-lived keys. 4) Inspect db_query.py and any omitted scripts for unexpected external network endpoints or logging of secrets. 5) Note the small metadata inconsistency (SKILL.md lists an install step while registry metadata said no install spec) — not a security problem but worth being aware of. If you want higher assurance, provide the full credential_store.py and db_query.py for targeted review or run the unit tests included in the repo in an isolated environment and inspect network activity during test runs.
Capability Analysis
Type: OpenClaw Skill Name: auditclaw-grc Version: 1.0.2 The OpenClaw AgentSkills skill bundle 'auditclaw-grc' is classified as benign. The code and documentation consistently align with its stated purpose of providing AI-native GRC functionality, including compliance management, risk assessment, and security scanning. Notably, the `scripts/credential_store.py` implements robust security measures like path traversal protection and secure deletion of sensitive files. Furthermore, the `CHANGELOG.md` explicitly highlights the addition of CSV injection protection in `scripts/export_evidence.py` and XSS prevention in HTML report generation (`scripts/generate_report.py`, `scripts/generate_trust_center.py`), demonstrating a strong commitment to security by the developers. All interactions with the SQLite database in `scripts/db_query.py` utilize parameterized queries, effectively preventing SQL injection vulnerabilities. The `SKILL.md` instructions for the AI agent are clear, directly related to the GRC functions, and contain no evidence of prompt injection attempts or malicious directives.
Capability Assessment
Purpose & Capability
The skill claims to be a GRC assistant and includes database scripts, scanning tools (HTTP headers, SSL), reporting/dashboard generation, drift detection, and credential helpers. The requested binaries (python3 and an optional headless browser) and the included scripts match that purpose. Optional cloud integration environment variables are declared and are appropriate for the described companion skills.
Instruction Scope
SKILL.md instructs running local Python scripts, creating a local SQLite DB in ~/.openclaw/grc, and running scans against user-specified URLs. The scripts shown (check_headers.py, check_ssl.py, drift_detector.py, generate_dashboard.py, auth_provider.py) operate on local DB/evidence paths and perform network calls only to target URLs or to cloud SDKs when configured. Drift detection explicitly restricts file reads to the ~/.openclaw/grc directory. There are no instructions to read or exfiltrate arbitrary system files.
Install Mechanism
SKILL.md contains an install hint (pip install -r scripts/requirements.txt and python3 scripts/init_db.py) and the package includes a local requirements.txt that pins only 'requests'. There is no remote download or third-party package installation beyond this local pip requirement, which is proportionate. Note: registry metadata listed 'No install spec' while SKILL.md includes metadata.install; this metadata inconsistency is harmless but worth noting.
Credentials
No required environment variables are declared. A set of optional env vars are listed (AWS/GCP/Azure/GITHUB/IDP related) and are only needed for their respective companion cloud integrations. The auth provider falls back to standard SDK defaults (env vars, ~/.aws, ADC, etc.), which is expected for cloud integration. The skill also implements a local credential store (credential_store.py) rather than forcing env vars, which fits the stated design. Because these vars enable cloud access, grant them only if you intend to use the companion integrations.
Persistence & Privilege
The skill stores data in the user's home under ~/.openclaw/grc and claims to use owner-only permissions for DB and credential files. It does not request system-wide config changes or always:true inclusion. Post-install DB initialization is normal for such a tool. The storage location and behaviors are consistent with the stated purpose.
How to Use
  1. Make sure OpenClaw is installed (local or Docker)
  2. Run the install command in chat: /install auditclaw-grc
  3. After installation, invoke the skill by name or use /auditclaw-grc
  4. Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.2
- Added homepage and source links for easier project access and support. - Introduced explicit install instructions in metadata for pip and post-install scripts. - Metadata now specifies optional environment variables for cloud integrations. - No functional or behavioral changes; documentation/metadata improvements only.
v1.0.1
No functional changes in this release; metadata update only. - Added homepage URL metadata for discoverability. - No code or feature updates included.
v1.0.0
Initial release of auditclaw-grc: an AI-native GRC assistant for OpenClaw with broad compliance support. - Supports 97+ actions across 13 frameworks (SOC 2, ISO 27001, HIPAA, GDPR, NIST CSF, PCI DSS, CIS Controls, CMMC, HITRUST, CCPA, FedRAMP, ISO 42001, SOX ITGC). - Manages controls, evidence, risks, policies, vendors, incidents, assets, training, vulnerabilities, access reviews, and questionnaires. - Generates compliance scores, reports, dashboards, and trust center pages; includes local security header, SSL, and GDPR scans. - Integrates with AWS, Azure, GCP, and GitHub via companion skills; uses SQLite with strict security. - Includes interactive flows, emoji-based summaries, slash commands, and scheduled cron alerts. - No external data is published—user controls all exports and reports.
v6.0.2
Concise SKILL.md (755->188 lines), security model docs, pinned deps, type:executable metadata
v6.0.1
Concise SKILL.md, security model docs, pinned deps, type:executable metadata
v6.0.0
Initial ClawHub publish: 97 actions, 30 tables, 13 frameworks
Metadata
Slug auditclaw-grc
Version 1.0.2
License
All-time Installs 2
Active Installs 0
Total Versions 6
Frequently Asked Questions

What is AuditClaw GRC?

AI-native GRC (Governance, Risk, and Compliance) for OpenClaw. 97 actions across 13 frameworks including SOC 2, ISO 27001, HIPAA, GDPR, NIST CSF, PCI DSS, CI... It is an AI Agent Skill for Claude Code / OpenClaw, with 623 downloads so far.

How do I install AuditClaw GRC?

Run "/install auditclaw-grc" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is AuditClaw GRC free?

Yes, AuditClaw GRC is completely free (open-source). You can download, install and use it at no cost.

Which platforms does AuditClaw GRC support?

AuditClaw GRC is cross-platform and runs anywhere OpenClaw / Claude Code is available (darwin, linux).

Who created AuditClaw GRC?

It is built and maintained by Nikhil Jathar (@mailnike); the current version is v1.0.2.

More Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191115 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 Comments