← 返回 Skills 市场
749
总下载
0
收藏
0
当前安装
1
版本数
在 OpenClaw 中安装
/install arc-compliance-checker
功能描述
Policy-based compliance assessment for OpenClaw skills. Define security policies, assess skills against them, track violations, and generate compliance repor...
使用说明 (SKILL.md)
Compliance Checker
Assess OpenClaw skills against defined security policies. Track compliance posture across your skill inventory with framework-mapped findings and remediation tracking.
Why This Exists
Security scanners find vulnerabilities. Trust verifiers check provenance. But neither answers: "Does this skill meet our security policy?" Compliance Checker bridges the gap — define what "compliant" means for your environment, then assess every skill against those rules.
Quick Start
Define a policy
python3 {baseDir}/scripts/checker.py policy create --name "production" --description "Production deployment requirements"
Add rules to the policy
python3 {baseDir}/scripts/checker.py policy add-rule --policy "production" \
--rule "no-critical-findings" \
--description "No CRITICAL findings from skill scanner" \
--severity critical
python3 {baseDir}/scripts/checker.py policy add-rule --policy "production" \
--rule "trust-verified" \
--description "Must have VERIFIED or TRUSTED trust level" \
--severity high
python3 {baseDir}/scripts/checker.py policy add-rule --policy "production" \
--rule "no-network-calls" \
--description "No unauthorized network calls in scripts" \
--severity high
python3 {baseDir}/scripts/checker.py policy add-rule --policy "production" \
--rule "no-shell-exec" \
--description "No shell=True or subprocess calls" \
--severity medium
python3 {baseDir}/scripts/checker.py policy add-rule --policy "production" \
--rule "has-checksum" \
--description "Must have SHA-256 checksums for all scripts" \
--severity medium
Assess a skill against a policy
python3 {baseDir}/scripts/checker.py assess --skill "arc-budget-tracker" --policy "production"
Assess all installed skills
python3 {baseDir}/scripts/checker.py assess-all --policy "production"
View compliance status
python3 {baseDir}/scripts/checker.py status --policy "production"
Generate compliance report
python3 {baseDir}/scripts/checker.py report --policy "production" --format json
python3 {baseDir}/scripts/checker.py report --policy "production" --format text
Built-in Rules
The following rules are available out of the box:
| Rule | What it checks | Framework mapping |
|---|---|---|
no-critical-findings |
No CRITICAL findings from scanner | CIS Control 16, OWASP A06 |
no-high-findings |
No HIGH findings from scanner | CIS Control 16, OWASP A06 |
trust-verified |
Trust level is VERIFIED or TRUSTED | CIS Control 2 |
no-network-calls |
No unauthorized network requests | CIS Control 9, OWASP A10 |
no-shell-exec |
No shell execution patterns | CIS Control 2, OWASP A03 |
no-eval-exec |
No eval/exec patterns | OWASP A03 |
has-checksum |
SHA-256 checksums for all files | CIS Control 2 |
no-env-access |
No environment variable access | CIS Control 3 |
no-data-exfil |
No data exfiltration patterns | CIS Control 3, CIS Control 13 |
version-pinned |
All dependencies version-pinned | CIS Control 2 |
Compliance Status
Each skill-policy assessment produces one of:
- COMPLIANT — Passes all rules in the policy
- NON-COMPLIANT — Fails one or more rules
- EXEMPTED — Has approved exemptions for all failures
- UNKNOWN — Not yet assessed
Exemptions
Sometimes a skill legitimately needs to violate a rule (e.g., a network monitoring skill needs network access). Record exemptions with justification:
python3 {baseDir}/scripts/checker.py exempt --skill "arc-skill-scanner" \
--rule "no-network-calls" \
--reason "Scanner needs network access to check URLs against blocklists" \
--approved-by "arc"
Remediation Tracking
When a skill fails compliance, track the fix:
python3 {baseDir}/scripts/checker.py remediate --skill "some-skill" \
--rule "no-shell-exec" \
--action "Replaced subprocess.call with safer alternative" \
--status fixed
Storage
Compliance data is stored in ~/.openclaw/compliance/:
policies/— Policy definitions (JSON)assessments/— Assessment results per skill (JSON)exemptions/— Approved exemptions (JSON)remediations/— Remediation tracking (JSON)
Integration
Compliance Checker reads output from:
- arc-skill-scanner — vulnerability findings
- arc-trust-verifier — trust levels and attestations
Run a full pipeline:
# Scan → verify trust → assess compliance
python3 {baseDir}/scripts/checker.py pipeline --skill "some-skill" --policy "production"
安全使用建议
This appears to be a local compliance utility and is coherent with its description. Before installing, review scripts/checker.py (already included) to confirm naming/paths for your scanner and trust-verifier; expect it to read all skill files under ~/.openclaw/skills and to create JSON records in ~/.openclaw/compliance. If you rely on external 'arc-skill-scanner' or 'arc-trust-verifier', ensure those tools are installed where checker.py expects them (or adjust paths). Note that pattern checks are simple substring matches and may flag documentation or benign code; review flagged findings manually before acting. Finally, because the tool invokes other local scanner/verifier scripts, validate those tools separately (they will run via subprocess and could broaden the trust surface).
功能分析
Type: OpenClaw Skill
Name: arc-compliance-checker
Version: 1.1.0
The OpenClaw AgentSkills skill 'arc-compliance-checker' is designed for security compliance assessment of other skills. It explicitly checks for common risky patterns like network calls, shell execution, `eval`/`exec`, environment variable access, and data exfiltration in the code of skills it analyzes. The skill itself implements input sanitization (`_sanitize_name` in `scripts/checker.py`) to prevent path traversal, and its file operations are confined to designated OpenClaw directories. It uses `subprocess.run` to execute other known OpenClaw security tools (`skill-scanner`, `trust-verifier`) with controlled arguments, which is appropriate for its stated purpose. There is no evidence of malicious intent, data exfiltration, persistence mechanisms, or prompt injection attempts in the provided files.
能力评估
Purpose & Capability
Name/description match the actual behavior: the script inspects skill files under ~/.openclaw/skills, applies policy checks, and stores assessments locally. Only python3 is required, which is proportionate to the stated purpose.
Instruction Scope
Runtime instructions are limited to creating policies, checking skill code, invoking local scanner/verifier scripts, and writing JSON under ~/.openclaw/compliance. Two minor notes: pattern checks are simple substring searches across code+SKILL.md (which can yield false positives if docs mention flagged terms), and the SKILL.md refers to 'arc-skill-scanner'/'arc-trust-verifier' while checker.py looks for 'skill-scanner'/'trust-verifier' script paths (naming mismatch may require the scanner/verifier to be installed under expected names).
Install Mechanism
No install spec or remote downloads; the skill is instruction-only with an included Python script. Nothing is fetched from external URLs or written to system locations beyond the user's home directory.
Credentials
The skill requests no environment variables or credentials and only reads files from ~/.openclaw/skills and writes to ~/.openclaw/compliance, which is appropriate for a local compliance tool.
Persistence & Privilege
always is false; the skill does not request permanent/global privileges or modify other skills' configs. It stores its own policy/assessment artifacts under its own directory.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install arc-compliance-checker - 安装完成后,直接呼叫该 Skill 的名称或使用
/arc-compliance-checker触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.1.0
- Introduces policy-based compliance assessment for OpenClaw skills, with customizable rules.
- Supports mapping of compliance findings to frameworks like CIS Controls and OWASP.
- Tracks violations, exemptions, and remediation status for each skill.
- Integrates with arc-skill-scanner and arc-trust-verifier for automated assessment pipelines.
- Provides CLI commands for policy management, assessment, status reporting, and exemption handling.
元数据
常见问题
Compliance Checker 是什么?
Policy-based compliance assessment for OpenClaw skills. Define security policies, assess skills against them, track violations, and generate compliance repor... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 749 次。
如何安装 Compliance Checker?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install arc-compliance-checker」即可一键安装,无需额外配置。
Compliance Checker 是免费的吗?
是的,Compliance Checker 完全免费(开源免费),可自由下载、安装和使用。
Compliance Checker 支持哪些平台?
Compliance Checker 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(darwin, linux)。
谁开发了 Compliance Checker?
由 ArcSelf(@trypto1019)开发并维护,当前版本 v1.1.0。
推荐 Skills