← 返回 Skills 市场
826
总下载
0
收藏
2
当前安装
36
版本数
在 OpenClaw 中安装
/install agent-bom-compliance
功能描述
AI compliance and policy engine — evaluate scan results against OWASP, NIST, SOC 2, ISO 27001, CMMC, EU AI Act, AISVS v1.0, and related frameworks. Generate...
使用说明 (SKILL.md)
agent-bom-compliance — AI Compliance & Policy Engine
Evaluate AI infrastructure scan results against 14 security and regulatory frameworks. Enforce policy-as-code rules. Generate SBOMs in standard formats. Run AISVS v1.0 and CIS benchmark checks.
Install
pipx install agent-bom
agent-bom agents -f compliance-export # run agents scan with compliance export
agent-bom generate-sbom # generate CycloneDX SBOM
When to Use
- "compliance report" / "run compliance"
- "NIST" / "NIST AI RMF" / "NIST CSF" / "NIST 800-53"
- "SOC 2" / "SOC2"
- "ISO 27001"
- "OWASP" / "OWASP LLM Top 10" / "OWASP Agentic Top 10"
- "EU AI Act"
- "AISVS" / "AI Security Verification Standard"
- "CMMC" / "FedRAMP"
- "generate SBOM" / "CycloneDX" / "SPDX"
- "policy check" / "policy enforcement"
Tools (5)
| Tool | Description |
|---|---|
compliance |
OWASP LLM/Agentic Top 10, EU AI Act, MITRE ATLAS, NIST AI RMF |
policy_check |
Evaluate results against custom security policy (17 conditions) |
cis_benchmark |
Run CIS benchmark checks against cloud accounts |
generate_sbom |
Generate SBOM (CycloneDX or SPDX format) |
aisvs_benchmark |
OWASP AISVS v1.0 compliance — 9 AI security checks |
Supported Frameworks (14)
- OWASP LLM Top 10 (2025) — prompt injection, supply chain, data leakage
- OWASP MCP Top 10 — MCP-specific security risks
- OWASP Agentic Top 10 — tool poisoning, rug pulls, credential theft
- OWASP AISVS v1.0 — AI Security Verification Standard (9 checks)
- MITRE ATLAS — adversarial ML threat framework
- NIST AI RMF — govern, map, measure, manage lifecycle
- NIST CSF 2.0 — identify, protect, detect, respond, recover
- NIST 800-53 Rev 5 — federal security controls (CM-8, RA-5, SI-2, SR-3)
- FedRAMP Moderate — derived from NIST 800-53 controls
- EU AI Act — risk classification, transparency, SBOM requirements
- ISO 27001:2022 — information security controls (Annex A)
- SOC 2 — Trust Services Criteria
- CIS Controls v8 — implementation groups IG1/IG2/IG3
- CMMC 2.0 — cybersecurity maturity model (Level 1-3)
Examples
# Run compliance check against multiple frameworks
compliance(frameworks=["owasp_llm", "eu_ai_act", "nist_ai_rmf"])
# Enforce custom policy
policy_check(policy={"max_critical": 0, "max_high": 5})
# Generate SBOM
generate_sbom(format="cyclonedx")
# Run AISVS v1.0 compliance
aisvs_benchmark()
# Run AWS CIS benchmark
cis_benchmark(provider="aws")
Privacy & Data Handling
OWASP, NIST, EU AI Act, MITRE ATLAS, AISVS, SBOM generation, and policy checks run entirely locally on scan data already in memory. No network calls, no credentials needed for these features.
CIS benchmark checks (optional, user-initiated) call cloud provider APIs
using your locally configured credentials. These are read-only API calls to
AWS, Azure, GCP, or Snowflake. You must explicitly run cis_benchmark(provider=...)
and confirm before any cloud API calls are made.
Verification
- Source: github.com/msaad00/agent-bom (Apache-2.0)
- 7,100+ tests with CodeQL + OpenSSF Scorecard
- No telemetry: Zero tracking, zero analytics
安全使用建议
This skill appears coherent for local compliance checks and SBOM generation. Before installing: (1) review the upstream GitHub repo and the PyPI/ghcr.io package contents to ensure they match the project you expect; (2) install/run in an isolated environment (VM or container) first; (3) only provide cloud credentials if you explicitly run CIS benchmark checks, and give those credentials least privilege access (read-only, limited scope); (4) confirm the 'agent-bom agents' command's scope so it doesn't scan agent/platform infrastructure you don't intend to expose. Also note the minor metadata mismatch: SKILL.md requires Python 3.11+ but the registry entry lists no required binaries — ensure your runtime meets that requirement.
功能分析
Type: OpenClaw Skill
Name: agent-bom-compliance
Version: 0.82.3
The agent-bom-compliance skill is a security and compliance engine designed to evaluate infrastructure against frameworks like OWASP, NIST, and ISO 27001. While it requests access to sensitive cloud credentials (AWS, Azure, GCP, Snowflake) for CIS benchmark checks, the SKILL.md documentation clearly justifies this for local, read-only API calls to standard provider endpoints. No evidence of malicious intent, data exfiltration, or prompt injection was found.
能力评估
Purpose & Capability
The skill describes an AI/compliance engine and SBOM generation and only lists optional cloud credentials for CIS checks — this is coherent. One minor inconsistency: SKILL.md requires Python 3.11+ and shows pipx/pip/docker install options, but the registry metadata lists no required binaries; the runtime requirement for Python is legitimate but not reflected in the top-level 'required binaries' field.
Instruction Scope
The SKILL.md contains concrete CLI usage (pipx install, agent-bom commands) and limits file reads to user-provided SBOMs and policy files. It does not instruct the agent to scan unrelated local files or to exfiltrate data. CIS checks are explicitly optional and described as using local cloud credentials.
Install Mechanism
This is an instruction-only skill (no install spec or code bundled). The project recommends installing from PyPI (pip/pipx) or using the GHCR Docker image — these are normal distribution channels. Because there is no packaged install in the skill bundle, the actual installation (pipx/pip/docker) would fetch code at install time; verify the upstream PyPI package or container image before installing.
Credentials
No required credentials are declared; a reasonable set of optional environment variables (AWS/Azure/GCP/Snowflake) are listed for optional CIS benchmark checks. These optional secrets are proportional to the described cloud checks. The skill claims to perform other framework checks (OWASP/NIST/EU AI Act) locally without credentials.
Persistence & Privilege
The skill does not request persistent presence (always: false), declares no telemetry or persistence, and marks autonomous invocation as restricted. Nothing in the README suggests it modifies other skills or system-wide agent settings.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install agent-bom-compliance - 安装完成后,直接呼叫该 Skill 的名称或使用
/agent-bom-compliance触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v0.82.3
Release v0.82.3
v0.82.2
Release v0.82.2
v0.81.3
Release v0.81.3
v0.81.1
Release v0.81.1
v0.81.0
Release v0.81.0
v0.80.1
Release v0.80.1
v0.78.1
Release v0.78.1
v0.76.4
Release v0.76.4
v0.76.2
Release v0.76.2
v0.76.1
Release v0.76.1
v0.76.0
Release v0.76.0
v0.75.15
Release v0.75.15
v0.75.14
Release v0.75.14
v0.75.13
Release v0.75.13
v0.75.11
Release v0.75.11
v0.75.10
Release v0.75.10
v0.75.9
Release v0.75.9
v0.75.8
Release v0.75.8
v0.75.7
Release v0.75.7
v0.75.6
Release v0.75.6
元数据
常见问题
agent-bom compliance 是什么?
AI compliance and policy engine — evaluate scan results against OWASP, NIST, SOC 2, ISO 27001, CMMC, EU AI Act, AISVS v1.0, and related frameworks. Generate... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 826 次。
如何安装 agent-bom compliance?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install agent-bom-compliance」即可一键安装,无需额外配置。
agent-bom compliance 是免费的吗?
是的,agent-bom compliance 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
agent-bom compliance 支持哪些平台?
agent-bom compliance 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(darwin, linux, windows)。
谁开发了 agent-bom compliance?
由 Agent Bom(@msaad00)开发并维护,当前版本 v0.82.3。
推荐 Skills