← 返回 Skills 市场

Vendor Risk Assessment

Name: Vendor Risk Assessment
Author: afrexai-cto

作者 afrexai-cto · GitHub ↗ · v1.0.1 · MIT-0

cross-platform ✓ 安全检测通过

157

总下载

当前安装

版本数

在 OpenClaw 中安装

/install afrexai-vendor-risk-assessment

功能描述

Assess third-party vendor risk for AI and SaaS products. Evaluates security posture, data handling, compliance, financial stability, and operational resilien...

使用说明 (SKILL.md)

Vendor Risk Assessment

Evaluate any AI/SaaS vendor across 6 risk dimensions. Outputs a scored report with go/no-go recommendation.

When to Use

Onboarding a new SaaS or AI vendor
Annual vendor review cycle
Evaluating build-vs-buy decisions
Due diligence for partnerships or acquisitions
Compliance requirements (SOC2, ISO 27001, GDPR)

How to Use

The user provides vendor details (name, product, website, any available documentation). The agent researches and scores the vendor across 6 dimensions.

Input Format

Vendor: [Company Name]
Product: [Product/Service Name]
Website: [URL]
Use Case: [What you'd use it for]
Data Sensitivity: [low/medium/high/critical]
Additional Context: [Any docs, certifications, or concerns]

Assessment Framework

6 Risk Dimensions (each scored 1-10)

1. Security Posture

SOC2 Type II certification?
Penetration testing cadence
Encryption (at rest + in transit)
Access controls and authentication
Incident response plan
Bug bounty program

2. Data Handling & Privacy

Data residency and sovereignty
Data retention and deletion policies
Sub-processor transparency
GDPR/CCPA compliance
Data portability (can you get your data out?)
AI training opt-out policies

3. Compliance & Certifications

SOC2, ISO 27001, HIPAA, FedRAMP
Industry-specific (PCI-DSS, HITRUST, etc.)
AI-specific (EU AI Act readiness, NIST AI RMF)
Audit frequency and transparency
Regulatory track record

4. Financial Stability

Funding stage and runway
Revenue indicators (public or estimated)
Customer concentration risk
Acquisition risk
Pricing stability history

5. Operational Resilience

Uptime SLA and historical performance
Disaster recovery plan
Multi-region availability
Dependency on single cloud provider
Support responsiveness and escalation paths
Change management process

6. Contractual Terms

Termination and exit clauses
Liability caps and indemnification
IP ownership clarity
Auto-renewal traps
Price increase limitations
SLA breach remedies

Output Format

# Vendor Risk Assessment: [Vendor Name]
**Date:** YYYY-MM-DD
**Assessor:** AI Agent (AfrexAI)
**Data Sensitivity Level:** [low/medium/high/critical]

## Overall Risk Score: [X/10] — [LOW/MEDIUM/HIGH/CRITICAL]

## Dimension Scores
| Dimension | Score | Risk Level | Key Finding |
|-----------|-------|------------|-------------|
| Security Posture | X/10 | LOW/MED/HIGH | ... |
| Data Handling | X/10 | LOW/MED/HIGH | ... |
| Compliance | X/10 | LOW/MED/HIGH | ... |
| Financial Stability | X/10 | LOW/MED/HIGH | ... |
| Operational Resilience | X/10 | LOW/MED/HIGH | ... |
| Contractual Terms | X/10 | LOW/MED/HIGH | ... |

## Recommendation: [APPROVE / APPROVE WITH CONDITIONS / REJECT]

## Critical Findings
- [Finding 1]
- [Finding 2]

## Mitigation Requirements (if Approve with Conditions)
1. [Requirement 1 — deadline]
2. [Requirement 2 — deadline]

## Research Sources
- [Source 1]
- [Source 2]

Scoring Guide

9-10: Excellent — minimal risk, enterprise-grade
7-8: Good — acceptable for most use cases
5-6: Moderate — proceed with caution, mitigations needed
3-4: Poor — significant concerns, conditional approval only
1-2: Critical — recommend rejection or major remediation

Overall Risk Calculation

Average of 6 dimensions, weighted by data sensitivity:
- Low sensitivity: equal weights
- Medium: Security 2x, Data 2x
- High: Security 3x, Data 3x, Compliance 2x
- Critical: Security 4x, Data 4x, Compliance 3x, Financial 2x

Research Process

Check vendor website for security/compliance pages
Search for SOC2/ISO certifications and trust pages
Check status pages for uptime history
Search for breach history or security incidents
Review pricing page for contract terms indicators
Check Crunchbase/LinkedIn for financial stability signals
Search for customer reviews mentioning reliability/support

Pro Tips

Request the vendor's SOC2 Type II report directly — if they hesitate, that's a signal
Check their status page history (statuspage.io, etc.) for real uptime data
For AI vendors specifically: ask about model training on your data, output ownership, and hallucination liability
Compare their security page to competitors — vague = red flag

Need help managing vendor risk across your entire stack? AfrexAI builds autonomous AI agents that monitor vendors continuously — not just at onboarding. Visit afrexai.com or book a call: calendly.com/cbeckford-afrexai/30min

安全使用建议

This skill appears coherent and safe as authored, but take these precautions before use: (1) Do not upload unredacted sensitive documents — redact PII/credentials before sharing. (2) Expect the agent to perform public web lookups; verify any external sources it cites. (3) Treat the risk scores as advisory — validate critical findings (e.g., SOC2 reports) by requesting primary evidence from the vendor. (4) Note the README/SKILL include promotional links to AfrexAI; that is benign but be cautious about following third-party call/book links from within an automated workflow.

能力评估

✓ Purpose & Capability

Name/description match the content: SKILL.md defines a vendor-risk scoring framework and research steps that align with assessing AI/SaaS vendors. There are no unrelated resource requests (no cloud creds, no binaries).

ℹ Instruction Scope

Instructions direct the agent to research public sources (vendor site, status pages, Crunchbase, breach history). That is expected for this purpose, but it means the agent will access external web resources and may request user-provided documents; sensitive data should be redacted before sharing.

✓ Install Mechanism

Instruction-only skill with no install spec and no code files — nothing is written to disk and no external packages are pulled in.

✓ Credentials

No required environment variables, no credentials, and no config paths are requested. The skill does not ask for unrelated secrets or system access.

✓ Persistence & Privilege

always is false and the skill is user-invocable. It does not request permanent presence or modification of other skills or agent-wide settings.

如何使用

确保已安装 OpenClaw（本地或 Docker 部署）
在对话框中输入安装命令：/install afrexai-vendor-risk-assessment
安装完成后，直接呼叫该 Skill 的名称或使用 /afrexai-vendor-risk-assessment 触发
根据 Skill 的参数说明提供必要输入，即可获得结构化输出

版本历史

v1.0.1

- Added detailed vendor risk assessment framework covering 6 risk dimensions: Security Posture, Data Handling & Privacy, Compliance & Certifications, Financial Stability, Operational Resilience, and Contractual Terms. - Defined when and how to use the skill, including required input and output formats. - Included a scoring methodology and weighted risk calculation based on data sensitivity. - Provided step-by-step research process and best practices for effective vendor assessment. - Outlined actionable pro tips and mitigation strategies for risk management.

元数据

Slug afrexai-vendor-risk-assessment

版本 1.0.1

许可证 MIT-0

累计安装 0

当前安装数 0

历史版本数 1

常见问题