← 返回 Skills 市场
AuditClaw GRC
作者
Nikhil Jathar
· GitHub ↗
· v1.0.2
623
总下载
0
收藏
0
当前安装
6
版本数
在 OpenClaw 中安装
/install auditclaw-grc
功能描述
AI-native GRC (Governance, Risk, and Compliance) for OpenClaw. 97 actions across 13 frameworks including SOC 2, ISO 27001, HIPAA, GDPR, NIST CSF, PCI DSS, CI...
使用说明 (SKILL.md)
AuditClaw GRC
AI-native GRC assistant for OpenClaw. Manages compliance frameworks, controls, evidence, risks, policies, vendors, incidents, assets, training, vulnerabilities, access reviews, and questionnaires.
97 actions | 30 tables | 13 frameworks | 990+ controls
Security Model
- Database: SQLite at
~/.openclaw/grc/compliance.sqlitewith WAL mode, owner-only permissions (0o600) - Credentials: Stored in
~/.openclaw/grc/credentials/with per-provider directories, owner-only permissions (0o700 dirs, 0o600 files), atomic writes, and secure deletion (overwrite with random bytes before removal). Secrets are never logged or exposed in output. Seescripts/credential_store.pyfor implementation. - Trust center: Generates a local HTML file only. Nothing is published externally. The user decides where to host it.
- Dependencies:
requests==2.31.0(pinned) for HTTP header scanning. Cloud integrations optionally useboto3(AWS) andPyJWT(Azure) via try/except -- these are not required and only activate if installed and credentials are configured. - Scans: All security scans (headers, SSL, GDPR) run locally against user-specified URLs only.
- No telemetry: No data is sent to external endpoints. All operations are local or to user-configured cloud accounts only.
Optional Environment Variables (for cloud integrations)
These are not required for core GRC functionality. They are only used when the user explicitly sets up cloud provider integrations via companion skills:
| Variable | Used by |
|---|---|
AWS_ACCESS_KEY_ID / AWS_SECRET_ACCESS_KEY |
AWS integration (via auditclaw-aws) |
GITHUB_TOKEN |
GitHub integration (via auditclaw-github) |
AZURE_SUBSCRIPTION_ID / AZURE_CLIENT_ID / AZURE_CLIENT_SECRET / AZURE_TENANT_ID |
Azure integration (via auditclaw-azure) |
GCP_PROJECT_ID / GOOGLE_APPLICATION_CREDENTIALS |
GCP integration (via auditclaw-gcp) |
GOOGLE_WORKSPACE_SA_KEY / GOOGLE_WORKSPACE_ADMIN_EMAIL |
Google Workspace (via auditclaw-idp) |
OKTA_ORG_URL / OKTA_API_TOKEN |
Okta (via auditclaw-idp) |
Setup
python3 {baseDir}/scripts/init_db.py
pip install -r {baseDir}/scripts/requirements.txt
Database: ~/.openclaw/grc/compliance.sqlite
Voice and Formatting
- Present data as formatted summaries, not raw JSON
- Keep messages under 4096 chars. Show top 5-10 rows, offer "Want the full list?"
- Emoji: ✅ complete, ⚠️ at-risk, 🔴 critical, 📊 scores, 📋 reports, 🔒 security
- Include context: "23/43 controls complete (53%)" not just "23"
- After each action, suggest the next logical step
Activation Triggers
Activate on: compliance, GRC, SOC 2, ISO 27001, HIPAA, GDPR, NIST, PCI DSS, CIS, CMMC, HITRUST, CCPA, FedRAMP, ISO 42001, SOX, ITGC, controls, evidence, risks, audit, gap analysis, security posture, compliance score, framework, security scan.
Database Operations
All queries go through: python3 {baseDir}/scripts/db_query.py --action \x3Caction> [args]
Output is JSON. Parse and present as human-readable summaries. For full action reference with all arguments: {baseDir}/references/db-actions.md
Core Actions
| Action | Purpose |
|---|---|
status |
Overall compliance overview |
activate-framework --slug soc2 |
Load framework controls |
gap-analysis --framework soc2 |
Gaps with priority and effort |
score-history --framework soc2 |
Score trend over time |
list-controls --framework soc2 --status in_progress |
Filtered controls |
update-control --id 5 --status complete |
Update control (also batch: --id 1,2,3) |
add-evidence --title "..." --control-ids 1,2,3 |
Record evidence |
add-risk --title "..." --likelihood 3 --impact 4 |
Log a risk |
add-vendor --name "..." --criticality high |
Register vendor |
add-incident --title "..." --severity critical |
Log incident |
generate-report --framework soc2 |
HTML compliance report |
generate-dashboard |
Dashboard summary + Canvas HTML |
export-evidence --framework soc2 |
ZIP package for auditors |
list-companions |
Show installed companion skills |
Additional Action Categories
- Policies: add, version, submit approval, review, require acknowledgment
- Training: add modules, assign, track completion, list overdue
- Vulnerabilities: add with CVE/CVSS, track remediation
- Access Reviews: create campaigns, add items, approve/revoke
- Questionnaires: create templates, send to vendors, record answers, score
- Incidents: add actions (timeline), post-incident reviews, summary with MTTR
- Assets: register with classification, lifecycle, encryption/backup/patch status
- Alerts: add, list, acknowledge, resolve
- Integrations: add provider, test connection, setup guide, show policy
Framework Activation
Run: python3 {baseDir}/scripts/db_query.py --action activate-framework --slug \x3Cslug>
| Framework | Slug | Controls |
|---|---|---|
| SOC 2 Type II | soc2 | 43 |
| ISO 27001:2022 | iso27001 | 114 |
| HIPAA Security Rule | hipaa | 29 |
| GDPR | gdpr | 25 |
| NIST CSF | nist-csf | 31 |
| PCI DSS v4.0 | pci-dss | 30 |
| CIS Controls v8 | cis-controls | 153 |
| CMMC 2.0 | cmmc | 113 |
| HITRUST CSF v11 | hitrust | 152 |
| CCPA/CPRA | ccpa | 28 |
| FedRAMP Moderate | fedramp | 282 |
| ISO 42001:2023 | iso42001 | 40 |
| SOX ITGC | sox-itgc | 50 |
Framework reference docs: {baseDir}/references/frameworks/
Compliance Score
Run: python3 {baseDir}/scripts/compliance_score.py [--framework \x3Cslug>] [--store]
Returns score (0-100), health distribution, trend, and drift detection. Use --store to save for tracking. Methodology: {baseDir}/references/scoring-methodology.md
Security Scanning
- Headers:
python3 {baseDir}/scripts/check_headers.py --url \x3Curl>(CSP, HSTS, X-Frame-Options, etc.) - SSL/TLS:
python3 {baseDir}/scripts/check_ssl.py --domain \x3Cdomain>(cert validity, chain, cipher) - GDPR: Browser-based cookie consent check (requires Chromium)
After scans, offer to save results as evidence.
Reports and Exports
- Report:
python3 {baseDir}/scripts/generate_report.py --framework \x3Cslug> --format html - Trust center:
python3 {baseDir}/scripts/generate_trust_center.py [--org-name "Acme Corp"](local HTML only) - Evidence export:
python3 {baseDir}/scripts/export_evidence.py --framework \x3Cslug>
Interactive Flows
First-Time Setup
When user asks to set up compliance: initialize DB silently, present framework options with control counts and use cases, offer gap analysis after activation.
Smart Defaults
- Evidence type: infer from context (manual/automated/integration)
- Risk assessment: suggest likelihood/impact with reasoning, confirm before saving
- Bulk operations: list exactly what will change, confirm, report summary
Proactive Suggestions
After framework activation -> offer gap analysis and cloud integration setup. After marking controls complete -> offer score recalculation. After scanning -> offer to save as evidence. After scoring (\x3C 30%) -> prioritize critical controls. (>= 90%) -> offer audit report.
Slash Commands
| Command | Action |
|---|---|
/grc-score |
Quick compliance score |
/grc-gaps |
Priority gaps |
/grc-scan |
Security scan menu |
/grc-report |
Generate report |
/grc-risks |
Risk register |
/grc-incidents |
Active incidents |
/grc-trust |
Generate trust center |
Scheduled Alerts (Cron)
Register via OpenClaw cron tool:
- Evidence expiry: daily 7 AM
- Score recalc: every 6 hours
- Weekly digest: Monday 8 AM
Always include "Using auditclaw-grc skill" in cron messages for routing.
Companion Skills
Optional add-ons for automated cloud evidence collection. Evidence flows into the shared GRC database.
| Skill | Checks | Setup |
|---|---|---|
| auditclaw-aws | 15 AWS checks (S3, IAM, CloudTrail, VPC, etc.) | aws configure with read-only IAM policy |
| auditclaw-github | 9 GitHub checks (branch protection, secrets, 2FA, etc.) | GITHUB_TOKEN env var |
| auditclaw-azure | 12 Azure checks (storage, NSG, Key Vault, etc.) | Service principal with Reader + Security Reader |
| auditclaw-gcp | 12 GCP checks (storage, firewall, IAM, etc.) | GOOGLE_APPLICATION_CREDENTIALS with Viewer + Security Reviewer |
| auditclaw-idp | 8 identity checks (Google Workspace + Okta) | SA key + admin email / Okta API token |
Install: clawhub install auditclaw-\x3Cprovider>
If a user asks to connect a cloud provider, check list-companions first. If not installed, guide them to install it.
Integration Setup
Say "setup aws", "setup github", etc. to get step-by-step guides with exact permissions. Use "test aws connection" to verify before running scans.
Reference Files
{baseDir}/references/db-actions.md- Full action reference with all arguments{baseDir}/references/schema.md- Database schema{baseDir}/references/scoring-methodology.md- Scoring algorithm{baseDir}/references/commands/- Detailed command guides{baseDir}/references/frameworks/- Framework reference docs{baseDir}/references/integrations/- Cloud integration guides
安全使用建议
This package appears coherent for a local GRC tool, but you should take a few precautions before installing: 1) Review the credential_store.py and auth_provider.py files to confirm how secrets are encrypted, saved, and deleted (the code claims owner-only perms and secure deletion—verify those behaviors). 2) Run the skill in a development or isolated account/machine (or container) first, especially before supplying any cloud credentials. 3) When enabling cloud integrations, prefer roles or short-lived credentials (IAM AssumeRole, service account impersonation) rather than long-lived keys. 4) Inspect db_query.py and any omitted scripts for unexpected external network endpoints or logging of secrets. 5) Note the small metadata inconsistency (SKILL.md lists an install step while registry metadata said no install spec) — not a security problem but worth being aware of. If you want higher assurance, provide the full credential_store.py and db_query.py for targeted review or run the unit tests included in the repo in an isolated environment and inspect network activity during test runs.
功能分析
Type: OpenClaw Skill
Name: auditclaw-grc
Version: 1.0.2
The OpenClaw AgentSkills skill bundle 'auditclaw-grc' is classified as benign. The code and documentation consistently align with its stated purpose of providing AI-native GRC functionality, including compliance management, risk assessment, and security scanning. Notably, the `scripts/credential_store.py` implements robust security measures like path traversal protection and secure deletion of sensitive files. Furthermore, the `CHANGELOG.md` explicitly highlights the addition of CSV injection protection in `scripts/export_evidence.py` and XSS prevention in HTML report generation (`scripts/generate_report.py`, `scripts/generate_trust_center.py`), demonstrating a strong commitment to security by the developers. All interactions with the SQLite database in `scripts/db_query.py` utilize parameterized queries, effectively preventing SQL injection vulnerabilities. The `SKILL.md` instructions for the AI agent are clear, directly related to the GRC functions, and contain no evidence of prompt injection attempts or malicious directives.
能力评估
Purpose & Capability
The skill claims to be a GRC assistant and includes database scripts, scanning tools (HTTP headers, SSL), reporting/dashboard generation, drift detection, and credential helpers. The requested binaries (python3 and an optional headless browser) and the included scripts match that purpose. Optional cloud integration environment variables are declared and are appropriate for the described companion skills.
Instruction Scope
SKILL.md instructs running local Python scripts, creating a local SQLite DB in ~/.openclaw/grc, and running scans against user-specified URLs. The scripts shown (check_headers.py, check_ssl.py, drift_detector.py, generate_dashboard.py, auth_provider.py) operate on local DB/evidence paths and perform network calls only to target URLs or to cloud SDKs when configured. Drift detection explicitly restricts file reads to the ~/.openclaw/grc directory. There are no instructions to read or exfiltrate arbitrary system files.
Install Mechanism
SKILL.md contains an install hint (pip install -r scripts/requirements.txt and python3 scripts/init_db.py) and the package includes a local requirements.txt that pins only 'requests'. There is no remote download or third-party package installation beyond this local pip requirement, which is proportionate. Note: registry metadata listed 'No install spec' while SKILL.md includes metadata.install; this metadata inconsistency is harmless but worth noting.
Credentials
No required environment variables are declared. A set of optional env vars are listed (AWS/GCP/Azure/GITHUB/IDP related) and are only needed for their respective companion cloud integrations. The auth provider falls back to standard SDK defaults (env vars, ~/.aws, ADC, etc.), which is expected for cloud integration. The skill also implements a local credential store (credential_store.py) rather than forcing env vars, which fits the stated design. Because these vars enable cloud access, grant them only if you intend to use the companion integrations.
Persistence & Privilege
The skill stores data in the user's home under ~/.openclaw/grc and claims to use owner-only permissions for DB and credential files. It does not request system-wide config changes or always:true inclusion. Post-install DB initialization is normal for such a tool. The storage location and behaviors are consistent with the stated purpose.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install auditclaw-grc - 安装完成后,直接呼叫该 Skill 的名称或使用
/auditclaw-grc触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.2
- Added homepage and source links for easier project access and support.
- Introduced explicit install instructions in metadata for pip and post-install scripts.
- Metadata now specifies optional environment variables for cloud integrations.
- No functional or behavioral changes; documentation/metadata improvements only.
v1.0.1
No functional changes in this release; metadata update only.
- Added homepage URL metadata for discoverability.
- No code or feature updates included.
v1.0.0
Initial release of auditclaw-grc: an AI-native GRC assistant for OpenClaw with broad compliance support.
- Supports 97+ actions across 13 frameworks (SOC 2, ISO 27001, HIPAA, GDPR, NIST CSF, PCI DSS, CIS Controls, CMMC, HITRUST, CCPA, FedRAMP, ISO 42001, SOX ITGC).
- Manages controls, evidence, risks, policies, vendors, incidents, assets, training, vulnerabilities, access reviews, and questionnaires.
- Generates compliance scores, reports, dashboards, and trust center pages; includes local security header, SSL, and GDPR scans.
- Integrates with AWS, Azure, GCP, and GitHub via companion skills; uses SQLite with strict security.
- Includes interactive flows, emoji-based summaries, slash commands, and scheduled cron alerts.
- No external data is published—user controls all exports and reports.
v6.0.2
Concise SKILL.md (755->188 lines), security model docs, pinned deps, type:executable metadata
v6.0.1
Concise SKILL.md, security model docs, pinned deps, type:executable metadata
v6.0.0
Initial ClawHub publish: 97 actions, 30 tables, 13 frameworks
元数据
常见问题
AuditClaw GRC 是什么?
AI-native GRC (Governance, Risk, and Compliance) for OpenClaw. 97 actions across 13 frameworks including SOC 2, ISO 27001, HIPAA, GDPR, NIST CSF, PCI DSS, CI... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 623 次。
如何安装 AuditClaw GRC?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install auditclaw-grc」即可一键安装,无需额外配置。
AuditClaw GRC 是免费的吗?
是的,AuditClaw GRC 完全免费(开源免费),可自由下载、安装和使用。
AuditClaw GRC 支持哪些平台?
AuditClaw GRC 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(darwin, linux)。
谁开发了 AuditClaw GRC?
由 Nikhil Jathar(@mailnike)开发并维护,当前版本 v1.0.2。
推荐 Skills