← 返回 Skills 市场

Vendor Risk Assessment

Name: Vendor Risk Assessment
Author: 1kalin

作者 1kalin · GitHub ↗ · v1.0.0

cross-platform ✓ 安全检测通过

517

总下载

当前安装

版本数

在 OpenClaw 中安装

/install afrexai-vendor-risk

功能描述

Evaluate and score vendors on security, financials, compliance, operations, and data handling to classify risk and manage remediation plans effectively.

使用说明 (SKILL.md)

Vendor Risk Assessment

Score and manage third-party vendor risk across security, financial stability, compliance, operational dependency, and data handling. Built for procurement teams, CISOs, and operations leaders managing 10+ vendors.

Usage

Run this assessment for each critical vendor. Aggregate scores into a portfolio risk view.

Assessment Framework

1. Vendor Risk Scorecard (5 Domains, 0-100 each)

Security Posture (0-100)

SOC 2 Type II current? (+20)
Penetration test within 12 months? (+15)
Incident response plan documented? (+15)
Data encryption at rest and transit? (+15)
MFA enforced for all access? (+10)
Security questionnaire completed? (+10)
Subprocessor list disclosed? (+15)

Financial Stability (0-100)

Revenue trend (growing +25, flat +10, declining 0)
Funding runway >18 months? (+20)
Customer concentration \x3C20%? (+15)
Public financials or audited statements? (+15)
No material litigation? (+15)
Credit rating acceptable? (+10)

Compliance & Regulatory (0-100)

Industry certifications current? (+20)
GDPR/CCPA compliant? (+20)
Data processing agreement signed? (+15)
Regulatory audit history clean? (+15)
Right to audit clause? (+15)
Data residency requirements met? (+15)

Operational Dependency (0-100)

SLA with financial penalties? (+20)
Uptime >99.9% trailing 12 months? (+20)
Disaster recovery tested annually? (+15)
Single point of failure for your business? (-20)
Migration plan documented? (+15)
API/export capability? (+15)
Vendor lock-in risk assessment? (+15)

Data Handling (0-100)

Data classification documented? (+20)
Retention/deletion policies clear? (+20)
Breach notification \x3C72 hours? (+20)
Data portability guaranteed? (+15)
AI/ML training on your data? (opt-out available +15, no opt-out -10)
Access logging and audit trail? (+10)

2. Risk Tier Classification

Aggregate Score	Tier	Review Cadence	Action
400-500	Low Risk	Annual	Standard monitoring
300-399	Moderate	Semi-annual	Remediation plan required
200-299	High Risk	Quarterly	Executive escalation, alternatives identified
0-199	Critical	Monthly	Exit plan required within 90 days

3. Portfolio Risk View

Total vendors: ___
Critical tier: ___ (target: 0)
High risk: ___ (target: \x3C10%)
Moderate: ___ (target: \x3C30%)
Low risk: ___ (target: >60%)

Top 3 concentration risks:
1. [Vendor] — [function] — [% of operations dependent]
2. [Vendor] — [function] — [% of operations dependent]
3. [Vendor] — [function] — [% of operations dependent]

Annual vendor spend: $___
Spend on high/critical vendors: $___  (___%)

4. Cost of Vendor Failure

Impact Area	Calculation
Revenue loss	Daily revenue × expected downtime days
Recovery cost	Migration estimate + emergency procurement
Compliance penalty	Regulatory fine range for data breach via vendor
Reputation damage	Customer churn rate × LTV × affected customers
Operational disruption	Staff idle cost × recovery period

5. Quarterly Review Template

Score changes since last review (flag any >10 point drops)
New subprocessors added by vendor
SLA performance vs target
Security incidents or near-misses
Contract renewal timeline and negotiation leverage
Alternative vendor benchmarking

6. Red Flags (Immediate Action)

Vendor acquired by competitor
Key personnel departures (CISO, CTO)
Downtime exceeding SLA 2+ months
Regulatory action or investigation
Refusal to complete security questionnaire
Data breach affecting other customers
Sudden pricing changes >20%

Industry-Specific Vendor Risks

Industry	Critical Vendor Category	Specific Risk
Healthcare	EHR, billing, telehealth	HIPAA BAA gaps, PHI exposure
Financial Services	Core banking, payments, KYC	PCI DSS, regulatory reporting
Legal	Case management, ediscovery	Privilege breach, client data
SaaS	Infrastructure, auth, payments	Cascading outages, PII
Manufacturing	MES, supply chain, IoT	IP theft, production stoppage
Construction	Project management, safety	Compliance documentation gaps
Ecommerce	Payments, fulfillment, CDN	PCI, availability during peak
Recruitment	ATS, background check, payroll	Candidate PII, bias in AI screening
Real Estate	MLS, transaction mgmt, title	Wire fraud, closing delays
Professional Services	CRM, billing, document mgmt	Client confidentiality breach

Get the Full Playbook

AI Revenue Leak Calculator — Quantify your total automation opportunity
Industry Context Packs — $47 each, deep-dive playbooks
Agent Setup Wizard — Build your AI agent workforce

安全使用建议

This skill appears coherent and safe as a playbook: it only contains assessment guidance and templates and does not request credentials or install anything. Before using, review any external links (the playbook and agent‑setup URLs) in a browser to confirm they are trustworthy and avoid pasting sensitive credentials into third‑party sites. If you plan to automate vendor assessments, sandbox any agent workflows that will handle vendor data and ensure they do not forward sensitive information to unknown endpoints.

功能分析

Type: OpenClaw Skill Name: afrexai-vendor-risk Version: 1.0.0 The skill bundle provides a framework for vendor risk assessment, including scoring, classification, and review templates. The `SKILL.md` and `README.md` files contain only descriptive and instructional text related to this purpose, with no evidence of prompt injection attempts, malicious commands, data exfiltration, or other harmful behaviors. External links point to a GitHub Pages domain (`afrexai-cto.github.io`) for related commercial offerings, which is not inherently malicious in this context.

能力评估

✓ Purpose & Capability

The name/description (vendor risk assessment) matches the SKILL.md content: scoring rubric, portfolio view, templates, and red‑flags. There are no unexpected binaries, credentials, or system config requirements for this stated purpose.

ℹ Instruction Scope

The SKILL.md stays within the assessment domain (scoring, review templates, remediation actions). It includes external links to paid playbooks and an 'Agent Setup Wizard' URL — these are outside the skill but are only links. The skill itself does not instruct the agent to read local files, environment variables, or to transmit data to remote endpoints, but you should vet those external sites before following them.

✓ Install Mechanism

Instruction-only skill with no install spec and no code files. This is low risk because nothing is written to disk or executed by the skill itself.

✓ Credentials

No environment variables, credentials, or config paths are requested. The lack of secret or cloud credential requests is appropriate for a guidance/playbook skill.

✓ Persistence & Privilege

Defaults are used (always:false, agent invocation allowed). The skill does not request permanent presence or elevated privileges and does not attempt to modify other skills or system settings.

如何使用

确保已安装 OpenClaw（本地或 Docker 部署）
在对话框中输入安装命令：/install afrexai-vendor-risk
安装完成后，直接呼叫该 Skill 的名称或使用 /afrexai-vendor-risk 触发
根据 Skill 的参数说明提供必要输入，即可获得结构化输出

版本历史

v1.0.0

Initial release of afrexai-vendor-risk v1.0.0. - Introduces a comprehensive vendor risk assessment framework covering security, financial stability, compliance, operational dependency, and data handling. - Provides domain-based scoring (0-100) and aggregates to classify vendors into risk tiers with recommended review cadences. - Includes a portfolio risk view, cost of vendor failure calculator, quarterly review template, and immediate action red flags. - Features industry-specific risks and targeted recommendations for procurement, CISOs, and operations leaders. - Links to additional resources such as playbooks and tools for deeper analysis.

元数据

Slug afrexai-vendor-risk

版本 1.0.0

许可证 —

累计安装 0

当前安装数 0

历史版本数 1

常见问题