← 返回 Skills 市场

GRC-Agent | SOC 2 Quality Review

Name: GRC-Agent | SOC 2 Quality Review
Author: mangopudding

作者 Simon Tin-Yul Kok · GitHub ↗ · v1.0.0

cross-platform ✓ 安全检测通过

593

总下载

当前安装

版本数

在 OpenClaw 中安装

/install grc-agent-soc2-quality-review

功能描述

Evaluate SOC 2 report quality using the SOC 2 Quality Guild rubric (Structure, Substance, Source). Use when reviewing a vendor SOC 2 Type 1/Type 2 report, tr...

使用说明 (SKILL.md)

SOC 2 Quality Review

Project Background & Acknowledgment

This skill was built using the SOC 2 Quality Guild resources at s2guild.org as a baseline for quality-focused SOC 2 vendor attestation reviews.

This project was the first GRC agent I wanated to try creating with OpenClaw after setting up across multiple environments, including Raspberry Pi, Intel NUC, several LXC containers, and a cluster setup of 3 Mac Studios using EXO.

Big thanks to the SOC 2 Quality Guild community for sharing excellent, practical guidance that helped shape this agent.

Maintainer

Author: Simon Tin-Yul Kok
LinkedIn: https://www.linkedin.com/in/simonkok/
GitHub: https://github.com/mangopudding/

Review SOC 2 quality before trusting conclusions.

When NOT to use this skill

Do not use this skill for:

Legal advice or legal conclusions about regulatory compliance.
Formal certification decisions (this is a quality review aid, not an issuing authority).
Deep technical penetration testing or exploit validation.
Historical incident forensics requiring endpoint/network-level evidence collection.
Vendor contract drafting as a substitute for legal/procurement review.

Workflow

Confirm review profile (audience, risk posture, strictness).
Confirm scope.
Score all 11 signals.
Run S12+ advanced diligence.
Summarize critical gaps.
Produce decision + follow-up requests.

Review profile (required)

Before scoring, capture these user-selectable settings:

Primary audience: Security, Procurement, Customer Trust, or All
Risk posture: Conservative / Balanced / Lenient
Data sensitivity baseline: High / Medium / Low
Evidence strictness: Escalate on Unknown / Conditional acceptance with deadline / Case-by-case
Output style: Executive memo, Full analyst report, or Both

Default to user-provided settings when available. If not provided, ask once before final verdict.

1) Confirm scope

Capture:

Report type: Type 1 or Type 2
Period covered
Trust Services Categories in scope
In-scope system boundary
Auditor firm + signer
Qualification status (unqualified/qualified/adverse/disclaimer)

If key sections are missing, stop and request a full report.

2) Score all 11 signals

Read references/rubric.md and score each signal:

2 = strong evidence
1 = partial or ambiguous
0 = missing, contradictory, or weak

Use a strict standard for Section 4 testing detail and source credibility checks.

2b) Run S12+ advanced diligence questions

After S1–S11 scoring, run references/advanced-diligence.md and collect answers for the additional diligence set.

Rules:

Treat S12+ as decision-strengthening checks, not replacements for S1–S11.
If an answer is unavailable, mark it explicitly as Unknown and create a follow-up request.
Elevate risk when multiple S12+ items remain unknown for high-sensitivity data use cases.

3) Flag hard fails

Treat these as high-severity findings by default:

Missing required auditor report structure (S1)
Missing/incomplete unsigned management assertion (S2)
Unlicensed or unverified CPA firm (S8)
Pervasive testing vagueness on critical controls (S7)

If one or more hard fails exist, recommend compensating evidence even if the opinion is unqualified.

4) Produce outputs

Always return three artifacts.

A) Executive verdict (short)

Overall confidence: High / Medium / Low (use references/confidence-rubric.md)
Decision: Accept / Accept with conditions / Escalate / Reject
Top 3 reasons

B) Scorecard

List S1–S11 with:

Score (0/1/2)
Evidence citation (use references/evidence-citation-format.md)
Why it matters
Follow-up request (if score \x3C2)

C) Follow-up request pack

Create a vendor-facing request list using references/vendor-request-templates.md:

Direct evidence needed
Clarifications required
Deadline recommendation
Decision gate (what must be resolved)

Scoring guidance

Prioritize evidence quality over report polish.
Penalize boilerplate language that could apply to any company.
Penalize weak control-to-criteria logic.
Penalize mismatch between exceptions and opinion severity.
Separate auditor credibility concerns from control design concerns.

Decision rubric

Use references/decision-matrix.md with the selected risk posture and evidence strictness.

Baseline outcomes:

Accept: no hard fails, most signals strong, no unresolved critical gaps.
Accept with conditions: limited gaps, clear compensating evidence path.
Escalate: mixed evidence, source credibility concerns, or unclear testing sufficiency.
Reject: fundamental structure/source failures or severe unresolved substance failures.

Required response format

Use this exact section order:

Executive verdict
Signal-by-signal scorecard (S1–S11)
Advanced diligence (S12+) findings
Critical risks
Vendor follow-up questions
Interim compensating controls (what your org should do now)

For structure and quality calibration, mirror references/output-example.md.

Calibration rules

Apply thresholds using selected profile:

High sensitivity (PII/PHI/financial, including candidate resume and employer/company data): require strong minimums on S4/S6/S7/S8 and tighter follow-up deadlines.
Medium sensitivity: allow limited partials with compensating evidence.
Low sensitivity: tolerate minor source/substance weaknesses with conditions.

Apply evidence strictness setting:

Escalate on Unknown: unknowns on critical areas force Escalate.
Conditional acceptance with deadline: permit temporary acceptance only with explicit due dates and owners.
Case-by-case: weigh unknowns by control criticality and data sensitivity.

安全使用建议

This skill is internally coherent and appears safe from a permissions/requirement standpoint, but keep in mind: - It is an analysis aid, not a legal or certification authority—verify final decisions with human experts. - The agent will process whatever report text you provide. Avoid sending unnecessary PII or sensitive production data unless you are comfortable with where and how the agent runs (platform/data handling policies). - Follow-up vendor requests and auditor credential checks suggested by the skill should be independently verified (e.g., check CPA licensing/peer-review records directly). - Because this is instruction-only, there is no code to inspect beyond the included docs; treat outputs as advisory and validate critical conclusions manually before acting.

功能分析

Type: OpenClaw Skill Name: grc-agent-soc2-quality-review Version: 1.0.0 The skill bundle provides instructions and reference materials for an AI agent to perform SOC 2 report quality reviews. All instructions within SKILL.md and the `references/` markdown files are strictly related to the stated purpose, guiding the agent to read local files for rubrics and formats. There is no evidence of data exfiltration, malicious execution, persistence mechanisms, or prompt injection attempts designed to subvert the agent's core function or access unrelated sensitive data. The external URL `s2guild.org` is mentioned as a resource acknowledgment, not as an instruction for the agent to interact with it.

能力评估

✓ Purpose & Capability

Name, description, and included reference materials all describe a SOC 2 report quality-review assistant. The skill declares no binaries, env vars, or config paths and does not attempt to access unrelated systems—requirements are proportional to the stated purpose.

✓ Instruction Scope

The SKILL.md instructs the agent to score S1–S11, run S12+ diligence, produce a scorecard and follow-up requests, and to consult the shipped reference docs. It does not instruct reading arbitrary system files, contacting external endpoints, or accessing credentials. It does instruct creating vendor-facing request text, which is appropriate for the purpose.

✓ Install Mechanism

No install spec or code is present; this is instruction-only. No downloads, package installs, or extracted artifacts are required, which minimizes on-disk execution risk.

✓ Credentials

The skill requests no environment variables, credentials, or config paths. The instructions refer only to bundled reference docs and user-provided reports/evidence — appropriate for a document-review assistant.

✓ Persistence & Privilege

Skill does not request always:true, does not modify other skills or system settings, and has the normal default autonomous-invocation setting. Its level of persistence and privilege is appropriate for an on-demand review helper.

如何使用

确保已安装 OpenClaw（本地或 Docker 部署）
在对话框中输入安装命令：/install grc-agent-soc2-quality-review
安装完成后，直接呼叫该 Skill 的名称或使用 /grc-agent-soc2-quality-review 触发
根据 Skill 的参数说明提供必要输入，即可获得结构化输出

版本历史

v1.0.0

Initial release: SOC 2 quality review skill using the SOC 2 Quality Guild rubric. - Evaluates SOC 2 Type 1/Type 2 reports based on Structure, Substance, and Source. - Includes detailed workflow: review profile, scope confirmation, multi-signal scoring, advanced diligence, gap summary, and vendor follow-up. - Supports user profile customization (risk posture, evidence strictness, output style, etc). - Returns structured outputs: executive verdict, scorecard, advanced findings, risk summary, follow-up list, and compensating controls. - Aligns risk and escalation guidance with data sensitivity and evidence strictness settings.

元数据

Slug grc-agent-soc2-quality-review

版本 1.0.0

许可证 —

累计安装 1

当前安装数 1

历史版本数 1

常见问题