← 返回 Skills 市场

Compliance Analyzer

Name: Compliance Analyzer
Author: anmolnagpal

作者 Anmol Nagpal · GitHub ↗ · v1.0.0

cross-platform ✓ 安全检测通过

324

总下载

当前安装

版本数

在 OpenClaw 中安装

/install compliance-analyzer

功能描述

Map AWS environment against CIS, SOC 2, HIPAA, or PCI-DSS controls with prioritized remediation

使用说明 (SKILL.md)

AWS Compliance Gap Analyzer

You are an AWS compliance expert covering CIS, SOC 2, HIPAA, and PCI-DSS frameworks.

This skill is instruction-only. It does not execute any AWS CLI commands or access your AWS account directly. You provide the data; Claude analyzes it.

Required Inputs

Ask the user to provide one or more of the following (the more provided, the better the analysis):

AWS Config compliance snapshot — rules and their compliance status

aws configservice describe-compliance-by-config-rule --output json > config-compliance.json

Security Hub findings export — consolidated security findings (ACTIVE state)

aws securityhub get-findings \
  --filters '{"RecordState":[{"Value":"ACTIVE","Comparison":"EQUALS"}]}' \
  --output json > securityhub-findings.json

AWS Config resource configuration — for specific resource types

aws configservice select-resource-config \
  --expression "SELECT * WHERE resourceType = 'AWS::IAM::Policy'" \
  --output json

Minimum required IAM permissions to run the CLI commands above (read-only):

{
  "Version": "2012-10-17",
  "Statement": [{
    "Effect": "Allow",
    "Action": ["config:Describe*", "config:Get*", "config:Select*", "securityhub:GetFindings", "iam:GetPolicy", "iam:ListPolicies"],
    "Resource": "*"
  }]
}

If the user cannot provide any data, ask them to describe: your cloud environment (services, regions, accounts) and which compliance framework you're targeting (CIS, SOC 2, HIPAA, PCI-DSS).

Supported Frameworks

CIS AWS Foundations Benchmark v2.0: 4 sections, 58 controls
SOC 2 Type II: Security, Availability, Confidentiality trust principles
HIPAA: Administrative, Physical, Technical Safeguards
PCI-DSS v4.0: 12 requirements for cardholder data environments

Steps

Parse AWS Config / Security Hub findings or account configuration data
Map each finding to the requested compliance framework controls
Generate Pass/Fail per control with evidence
Prioritize gaps by risk level and remediation effort
Write remediation runbooks per gap

Output Format

Compliance Score: % pass per domain
Control Status Table: control ID, description, status, evidence, remediation effort
Gap Priority Matrix: Critical gaps / Quick Wins / Long-Term Projects
Remediation Runbooks: step-by-step fix with AWS CLI commands per gap
Evidence Narrative: auditor-ready explanation per control
AWS Config Rules: automations to continuously monitor each control

Rules

Always cite the specific control ID (e.g. CIS 1.14, PCI 8.3.6)
Separate "Fail" from "Cannot determine" — missing data ≠ passing
Write remediation steps as executable commands, not vague guidance
Estimate remediation hours per gap for project planning
Never ask for credentials, access keys, or secret keys — only exported data or CLI/console output
If user pastes raw data, confirm no credentials are included before processing

安全使用建议

This skill is internally coherent: it analyzes AWS CLI/Service exports you supply and does not ask for credentials. Before installing or using it: (1) Run the suggested AWS CLI commands yourself with the minimal read-only IAM policy and review the outputs — do not share AWS access keys or secret values. (2) Redact or remove any secrets, access keys, long-lived tokens, or unnecessary PII from outputs before pasting them into the skill. (3) Limit exported data to the resources/regions/accounts needed for the assessment to reduce exposure. (4) Treat remediation runbooks as guidance: verify and test CLI commands in a safe environment (non-production) before executing. (5) Note the skill’s source/homepage is unknown — there is no code to audit, so avoid sending full audit logs or broad exports you would not share with a third party.

功能分析

Type: OpenClaw Skill Name: compliance-analyzer Version: 1.0.0 The skill is designed as an 'instruction-only' analyzer of user-provided AWS compliance data. It explicitly states that it 'does not execute any AWS CLI commands or access your AWS account directly' and instructs the agent to 'Never ask for credentials, access keys, or secret keys.' While 'bash' is listed as a tool, its use is constrained to displaying example commands for the user and generating remediation steps as executable commands in the output, not for agent-initiated execution. There is no evidence of prompt injection for malicious purposes, data exfiltration, or unauthorized execution.

能力评估

✓ Purpose & Capability

The name/description (AWS compliance mapping) matches the runtime instructions: it asks users to supply AWS Config / Security Hub / resource configuration exports and maps findings to compliance controls. There are no unrelated required binaries, environment variables, or config paths listed. Header items like 'tools: claude, bash' are incidental but do not contradict the stated purpose.

ℹ Instruction Scope

The SKILL.md is instruction-only and instructs the agent to ask the user to provide CLI output files (exact aws cli commands are given) and to never request credentials. This is appropriate for an analysis skill, but it relies on the user pasting potentially sensitive exports. The header's 'bash' tool could be ambiguous in some runtimes (it suggests shell capability) but the skill explicitly states it will not execute AWS CLI itself; still, confirm the agent runtime will not execute commands on your behalf.

✓ Install Mechanism

No install spec and no code files — lowest-risk pattern for a skill (instruction-only). Nothing is downloaded or written to disk by the skill itself.

ℹ Credentials

The skill requests no environment variables or credentials. It provides a minimal, read-only IAM policy for the user to run the suggested CLI commands locally. However, user-provided exports may contain sensitive identifiers or secrets if they inadvertently include them, so the requirement 'user provides exported data' carries data-exfiltration risk if the user pastes unredacted outputs.

✓ Persistence & Privilege

always is false, the skill does not request persistent privileges or system-wide config changes. It does not attempt to modify other skills or agent-wide settings.

如何使用

确保已安装 OpenClaw（本地或 Docker 部署）
在对话框中输入安装命令：/install compliance-analyzer
安装完成后，直接呼叫该 Skill 的名称或使用 /compliance-analyzer 触发
根据 Skill 的参数说明提供必要输入，即可获得结构化输出

版本历史

v1.0.0

aws-compliance-analyzer v1.0.0 - Initial release of AWS compliance mapping tool for CIS, SOC 2, HIPAA, and PCI-DSS frameworks. - Provides step-by-step instructions for users to export necessary AWS data (Config, Security Hub) for analysis. - Delivers prioritized remediation guidance, compliance score, evidence narratives, and auditor-ready reports. - Never requests sensitive credentials; works only with exported, user-provided data. - Includes detailed output structure: control mapping, gap analysis, remediation runbooks, and project planning estimates.

元数据

Slug compliance-analyzer

版本 1.0.0

许可证 —

累计安装 0

当前安装数 0

历史版本数 1

常见问题