← 返回 Skills 市场
AuditClaw Idp
作者
Nikhil Jathar
· GitHub ↗
· v1.0.2
570
总下载
0
收藏
0
当前安装
3
版本数
在 OpenClaw 中安装
/install auditclaw-idp
功能描述
Identity provider compliance checks for auditclaw-grc. 8 read-only checks across Google Workspace (MFA, admin audit, inactive users, passwords) and Okta (MFA...
使用说明 (SKILL.md)
AuditClaw IDP
Companion skill for auditclaw-grc. Collects compliance evidence from Google Workspace and Okta identity providers using read-only API calls.
8 checks | Read-only API access | Evidence stored in shared GRC database
Security Model
- Read-only access: Google Workspace uses
admin.directory.user.readonlyscope only. Okta usesokta.users.read,okta.factors.read,okta.policies.readscopes only. No write/modify permissions. - Credentials: Uses standard env vars for each provider. No credentials stored by this skill.
- Dependencies: Google API client + requests (all pinned in requirements.txt)
- Data flow: Check results stored as evidence in
~/.openclaw/grc/compliance.sqlitevia auditclaw-grc
Prerequisites
- Google Workspace: Service account JSON with domain-wide delegation, admin email for impersonation
- Okta: API token (SSWS) with read-only scopes
pip install -r scripts/requirements.txt- auditclaw-grc skill installed and initialized
Environment Variables
Google Workspace (optional; skip if not configured)
GOOGLE_WORKSPACE_SA_KEY: Path to service account JSON fileGOOGLE_WORKSPACE_ADMIN_EMAIL: Super admin email to impersonate
Okta (optional; skip if not configured)
OKTA_ORG_URL: Okta organization URL (e.g., https://mycompany.okta.com)OKTA_API_TOKEN: Okta API token
Commands
- "Run IDP evidence sweep": Run all checks for configured providers
- "Check Google Workspace MFA": Run Google MFA check
- "Check Okta password policies": Run Okta password policy check
- "Show IDP integration health": Last sync, errors, evidence count
Usage
All evidence is stored in the shared GRC database at ~/.openclaw/grc/compliance.sqlite via the auditclaw-grc skill's db_query.py script.
To run a full evidence sweep (all configured providers):
python3 scripts/idp_evidence.py --db-path ~/.openclaw/grc/compliance.sqlite --all
To run checks for a specific provider:
python3 scripts/idp_evidence.py --db-path ~/.openclaw/grc/compliance.sqlite --provider google
python3 scripts/idp_evidence.py --db-path ~/.openclaw/grc/compliance.sqlite --provider okta
To run specific checks:
python3 scripts/idp_evidence.py --db-path ~/.openclaw/grc/compliance.sqlite --checks google_mfa,okta_mfa
Check Categories (8)
| Check | Provider | What It Verifies |
|---|---|---|
| google_mfa | Google Workspace | All active users have 2SV enrolled + enforced |
| google_admins | Google Workspace | Super admin count 2-4, all with 2SV |
| google_inactive | Google Workspace | No active users with lastLoginTime > 90 days |
| google_passwords | Google Workspace | All users have passwordStrength == "STRONG" |
| okta_mfa | Okta | All active users have at least 1 MFA factor enrolled |
| okta_passwords | Okta | Password policy: minLength>=12, history>=5, maxAttempts\x3C=5, maxAge\x3C=90 |
| okta_inactive | Okta | No active users with lastLogin > 90 days |
| okta_sessions | Okta | MFA required, session lifetime \x3C= 12h, idle \x3C= 1h |
Evidence Storage
Each check produces evidence items stored with:
source: "idp"type: "automated"control_id: Mapped to relevant SOC2/ISO/NIST/HIPAA controlsdescription: Human-readable finding summaryfile_content: JSON details of the check result
Setup Guide
AuditClaw supports two identity providers. Configure one or both.
Google Workspace Setup
Step 1: Enable Admin SDK API Go to Google Cloud Console → APIs & Services → Library → Enable "Admin SDK API"
Step 2: Create Service Account IAM & Admin → Service Accounts → Create. Enable domain-wide delegation.
Step 3: Grant OAuth Scopes In Google Admin → Security → API controls → Domain-wide delegation, add the service account with:
https://www.googleapis.com/auth/admin.directory.user.readonlyhttps://www.googleapis.com/auth/admin.reports.audit.readonly
Step 4: Set Environment Variables
- GOOGLE_WORKSPACE_SA_KEY=/path/to/service-account.json
- [email protected]
Okta Setup
Step 1: Create API Token Okta Admin → Security → API → Tokens → Create Token. Name: auditclaw-scanner
Step 2: Required Permissions
The token inherits the creating admin's permissions. Needs read access to: users, factors, policies.
Scopes: okta.users.read, okta.factors.read, okta.policies.read
Step 3: Set Environment Variables
- OKTA_ORG_URL=https://mycompany.okta.com
- OKTA_API_TOKEN=your-token-here
Verify Connection
Run: python3 {baseDir}/scripts/idp_evidence.py --test-connection
The exact permissions are documented in scripts/idp-permissions.json. Show with:
python3 {baseDir}/../auditclaw-grc/scripts/db_query.py --action show-policy --provider idp
安全使用建议
This skill appears to do what it claims: read-only audits of Google Workspace and Okta and storing results in the AuditClaw GRC database. Before installing or running it: 1) Ensure you only provide a Google service account with the minimal domain‑wide delegation scopes (and the correct admin_email) and an Okta API token created by a read-only admin; avoid giving more-privileged keys. 2) Confirm the target DB path (~/.openclaw/grc/compliance.sqlite) is the intended AuditClaw GRC database and that you trust its schema/backups, because the skill will insert rows directly if the db_query helper is absent. 3) Review the local auditclaw-grc/scripts/db_query.py on your system (if present) since the skill will invoke it via subprocess; ensure it's the legitimate script. 4) Verify file permissions for the service-account JSON and the DB so secrets and evidence are protected. These are expected operational checks, not evidence of malicious behavior.
功能分析
Type: OpenClaw Skill
Name: auditclaw-idp
Version: 1.0.2
The skill `auditclaw-idp` is designed for identity provider compliance checks, collecting read-only data from Google Workspace and Okta APIs and storing it locally in `~/.openclaw/grc/compliance.sqlite`. All API interactions are read-only, as explicitly stated and confirmed by code analysis. Credentials are handled securely via environment variables. While the `scripts/idp_evidence.py` orchestrator uses `subprocess.run` to interact with a companion `db_query.py` script, arguments are passed as a list (mitigating shell injection) and data is JSON-encoded, indicating a legitimate inter-skill communication rather than malicious intent or a direct vulnerability within this skill. No evidence of data exfiltration, persistence, obfuscation, or prompt injection was found.
能力评估
Purpose & Capability
Name/description claim read-only Google Workspace and Okta checks; code implements exactly those checks and only asks (optionally) for Google service account JSON + admin email and Okta org URL + API token. Required binary (python3) and Python dependencies match the implementation. Minor mismatch: SKILL.md mentions an extra read-only reports scope but the build function uses the directory.users readonly scope; this is an implementation detail, not a capability mismatch.
Instruction Scope
Runtime instructions and idp_evidence.py are explicit: call provider APIs, assemble findings, and store evidence in the shared GRC DB (~/.openclaw/grc/compliance.sqlite). The script tries to invoke auditclaw-grc's db_query.py (subprocess) if present, and falls back to direct SQLite INSERT into the DB. These behaviors are coherent with the documented evidence-storage model but mean the skill will read environment variables, potentially read a local service-account JSON file path, and write into the shared GRC DB — all expected for this integration.
Install Mechanism
No remote downloads or installers in the registry entry; the skill is instruction/code-only. Dependencies are standard Python packages pinned in scripts/requirements.txt (google-api-python-client, google-auth, requests). Installation via 'pip install -r scripts/requirements.txt' is documented. No high-risk external downloads or extract steps were observed.
Credentials
Requested credentials (Google SA key path + admin email; Okta org URL + API token) are proportional to the stated checks. The skill does not request unrelated secrets or broad OS-level credentials. Environment variables are optional (providers can be skipped).
Persistence & Privilege
The skill does write to a shared GRC SQLite DB and updates an 'integrations' record; it also attempts to execute a db_query.py script if available. always:false and no automatic elevation is requested. Writing into the shared DB is expected for this integration, but it does imply trust in the skill and the database path provided; the skill does not modify other skills or system configuration beyond the GRC DB.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install auditclaw-idp - 安装完成后,直接呼叫该 Skill 的名称或使用
/auditclaw-idp触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.2
- Added homepage and source links to metadata for increased transparency.
- Updated metadata to specify `pip` requirements file for installation.
- Listed required and optional environment variables in metadata for clearer configuration instructions.
- No functional or command changes; documentation and metadata updates only.
v1.0.1
- Removed test files: tests/conftest.py and tests/test_idp_checks.py
- Test coverage for this skill has been reduced or removed in this version.
v1.0.0
Initial release of AuditClaw IDP skill—automated compliance evidence collection for Google Workspace and Okta IDPs.
- Collects read-only compliance evidence from Google Workspace and Okta (8 total checks)
- Stores evidence in a shared GRC SQLite database for use with auditclaw-grc
- Supports user-invocable commands for full evidence sweep or specific checks
- Security model: read-only API scopes; no credentials stored by the skill
- Includes setup guide for Google Workspace and Okta integration via environment variables
元数据
常见问题
AuditClaw Idp 是什么?
Identity provider compliance checks for auditclaw-grc. 8 read-only checks across Google Workspace (MFA, admin audit, inactive users, passwords) and Okta (MFA... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 570 次。
如何安装 AuditClaw Idp?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install auditclaw-idp」即可一键安装,无需额外配置。
AuditClaw Idp 是免费的吗?
是的,AuditClaw Idp 完全免费(开源免费),可自由下载、安装和使用。
AuditClaw Idp 支持哪些平台?
AuditClaw Idp 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 AuditClaw Idp?
由 Nikhil Jathar(@mailnike)开发并维护,当前版本 v1.0.2。
推荐 Skills