← Back to Skills Marketplace
mailnike

AuditClaw Gcp

by Nikhil Jathar · GitHub ↗ · v1.0.2
cross-platform ✓ Security Clean
567
Downloads
0
Stars
0
Active Installs
3
Versions
Install in OpenClaw
/install auditclaw-gcp
Description
GCP compliance evidence collection for auditclaw-grc. 12 read-only checks across Cloud Storage, firewall, IAM, logging, KMS, DNS, BigQuery, Compute, and Clou...
README (SKILL.md)

AuditClaw GCP

Companion skill for auditclaw-grc. Collects compliance evidence from Google Cloud Platform projects using read-only API calls.

12 checks | Viewer + Security Reviewer roles only | Evidence stored in shared GRC database

Security Model

  • Read-only access: Requires 6 read-only IAM roles (Viewer, Security Reviewer, Cloud SQL Viewer, Logging Viewer, DNS Reader, Cloud KMS Viewer). No write/modify permissions.
  • Credentials: Uses standard GCP credential chain (GOOGLE_APPLICATION_CREDENTIALS or gcloud auth). No credentials stored by this skill.
  • Dependencies: Google Cloud SDK packages (all pinned in requirements.txt)
  • Data flow: Check results stored as evidence in ~/.openclaw/grc/compliance.sqlite via auditclaw-grc

Prerequisites

  • GCP credentials configured (gcloud auth application-default login or service account JSON)
  • GCP_PROJECT_ID environment variable set
  • pip install -r scripts/requirements.txt
  • auditclaw-grc skill installed and initialized

Commands

  • "Run GCP evidence sweep": Run all checks, store results in GRC database
  • "Check GCP storage compliance": Run Cloud Storage checks
  • "Check GCP firewall rules": Run firewall ingress checks
  • "Check GCP IAM compliance": Run IAM service account checks
  • "Check GCP logging status": Verify audit logging configuration
  • "Check GCP KMS keys": Review KMS key rotation
  • "Show GCP integration health": Last sync, errors, evidence count

Usage

All evidence is stored in the shared GRC database at ~/.openclaw/grc/compliance.sqlite via the auditclaw-grc skill's db_query.py script.

To run a full evidence sweep:

python3 scripts/gcp_evidence.py --db-path ~/.openclaw/grc/compliance.sqlite --all

To run specific checks:

python3 scripts/gcp_evidence.py --db-path ~/.openclaw/grc/compliance.sqlite --checks storage,firewall,iam

Check Categories (9 files, 12 findings)

Check What It Verifies
storage Uniform bucket-level access, public access prevention
firewall No unrestricted ingress (0.0.0.0/0) to SSH/RDP/all
iam Service account key rotation (90 days), SA admin privilege restriction
logging Audit logging enabled (all services), log export sink exists
kms KMS key rotation period \x3C= 90 days
dns DNSSEC enabled on public zones
bigquery No public dataset access (allUsers/allAuthenticatedUsers)
compute No default service account with cloud-platform scope
cloudsql SSL enforcement, no public IP with 0.0.0.0/0

Evidence Storage

Each check produces evidence items stored with:

  • source: "gcp"
  • type: "automated"
  • control_id: Mapped to relevant SOC2/ISO/HIPAA controls
  • description: Human-readable finding summary
  • file_content: JSON details of the check result

Required IAM Roles

  • roles/viewer
  • roles/iam.securityReviewer
  • roles/cloudsql.viewer
  • roles/logging.viewer
  • roles/dns.reader
  • roles/cloudkms.viewer

All checks use read-only access only.

Setup Guide

When a user asks to set up GCP integration, guide them through these steps:

Step 1: Create Service Account

gcloud iam service-accounts create auditclaw-scanner --display-name="AuditClaw Scanner"

Step 2: Grant IAM Roles

Grant these 6 read-only roles:

for role in roles/viewer roles/iam.securityReviewer roles/cloudsql.viewer roles/logging.viewer roles/dns.reader roles/cloudkms.viewer; do
  gcloud projects add-iam-policy-binding PROJECT_ID \
    --member=serviceAccount:auditclaw-scanner@PROJECT_ID.iam.gserviceaccount.com \
    --role=$role
done

Step 3: Generate JSON Key

gcloud iam service-accounts keys create key.json --iam-account=auditclaw-scanner@PROJECT_ID.iam.gserviceaccount.com

Step 4: Configure Credentials

Set environment variables:

  • GOOGLE_APPLICATION_CREDENTIALS=/path/to/key.json
  • GCP_PROJECT_ID=your-project-id

Step 5: Verify Connection

Run: python3 {baseDir}/scripts/gcp_evidence.py --test-connection

The exact roles are documented in scripts/gcp-roles.json. Show with: python3 {baseDir}/../auditclaw-grc/scripts/db_query.py --action show-policy --provider gcp

Usage Guidance
This skill appears to do what it claims: read-only GCP checks and storing evidence in the AuditClaw GRC DB. Before installing/use: 1) Review and grant only the documented least-privilege IAM roles to the service account (roles/viewer, roles/iam.securityReviewer, roles/cloudsql.viewer, roles/logging.viewer, roles/dns.reader, roles/cloudkms.viewer). 2) Understand that the skill will use the service-account JSON pointed to by GOOGLE_APPLICATION_CREDENTIALS — protect that key and rotate/delete it when no longer needed. 3) Dependencies are pinned in scripts/requirements.txt but the registry shows no install hook; be prepared to run pip install -r scripts/requirements.txt yourself. 4) The orchestrator will attempt to call auditclaw-grc's db_query.py; if not found it will write directly to ~/.openclaw/grc/compliance.sqlite — back up that DB before running and review the DB schema if you have concerns about direct inserts. 5) Run first in a test environment or on a non-production project to validate behavior. 6) If you need higher assurance, review scripts/gcp_evidence.py and the checks modules (they are included) to confirm there are no unapproved writes or external network calls beyond Google APIs.
Capability Analysis
Type: OpenClaw Skill Name: auditclaw-gcp Version: 1.0.2 The OpenClaw AgentSkills bundle 'auditclaw-gcp' is designed for GCP compliance evidence collection, performing read-only checks across various GCP services. All interactions with GCP APIs are read-only, and results are stored locally in `~/.openclaw/grc/compliance.sqlite`. The skill uses standard Google Cloud SDKs, with dependencies pinned in `scripts/requirements.txt`. While `scripts/gcp_evidence.py` uses `subprocess.run` for inter-skill communication with `db_query.py` (from `auditclaw-grc`), the arguments are constructed from internal data and JSON-encoded, mitigating direct shell injection risks from this skill. There is no evidence of data exfiltration, malicious execution, persistence mechanisms, obfuscation, or prompt injection attempts in `SKILL.md` or `README.md`. The requested IAM roles are explicitly read-only, aligning with the stated purpose.
Capability Assessment
Purpose & Capability
Name/description match the contained code and instructions: the scripts query GCP services (Storage, IAM, Firewall, Logging, KMS, DNS, BigQuery, Compute, Cloud SQL) and produce compliance findings. Required binaries (python3), env vars (GCP_PROJECT_ID, GOOGLE_APPLICATION_CREDENTIALS), and the pinned google-* libraries align with the stated purpose.
Instruction Scope
Runtime instructions and scripts stay within the stated scope: they call GCP APIs, collect findings, and store evidence in the auditclaw-grc DB at ~/.openclaw/grc/compliance.sqlite or via the auditclaw-grc scripts/db_query.py. Note: the orchestrator has a fallback that performs direct SQLite inserts into that DB if db_query.py is not found — this means the skill will write into the user's GRC database file. There are no unexpected external endpoints or broad file reads beyond the service-account JSON path and the local GRC DB.
Install Mechanism
Dependencies are standard google-cloud Python libraries pinned in scripts/requirements.txt (no external arbitrary downloads). However, registry metadata indicates 'No install spec — instruction-only' while SKILL.md includes install metadata (pip: scripts/requirements.txt) and the repo contains requirements.txt. This is an inconsistency the user should be aware of: dependencies must be installed (pip) before running, and the platform may not auto-install them.
Credentials
The skill only requests GCP-related environment variables (GCP_PROJECT_ID, GOOGLE_APPLICATION_CREDENTIALS) and instructs creating a GCP service account with read-only roles. The requested IAM roles are documented and appropriate for read-only checks. No unrelated credentials or secrets are requested.
Persistence & Privilege
always is false and the skill is user-invocable; it does not request permanent platform-wide privileges or modify other skills. It does write/update records in the auditclaw-grc DB (integration status and evidence), which is expected behavior for a compliance collector.
How to Use
  1. Make sure OpenClaw is installed (local or Docker)
  2. Run the install command in chat: /install auditclaw-gcp
  3. After installation, invoke the skill by name or use /auditclaw-gcp
  4. Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.2
- Added homepage and source fields for improved skill metadata. - Updated install metadata to specify pip installation from scripts/requirements.txt. - Listed "GOOGLE_APPLICATION_CREDENTIALS" as a required environment variable for clarity. - No changes to functionality or code; documentation and metadata improvements only.
v1.0.1
- Removed all test files (`tests/conftest.py`, `tests/test_gcp_checks.py`) from the skill package. - No changes to the main functionality or evidence collection logic.
v1.0.0
Initial release of auditclaw-gcp for integration with auditclaw-grc: - Collects GCP compliance evidence across nine key categories (storage, firewall, IAM, logging, KMS, DNS, BigQuery, Compute, CloudSQL). - Provides user-invocable commands for running evidence sweeps or targeted checks. - Stores evidence in the shared GRC compliance database with mapped control IDs and finding details. - Includes a detailed setup guide for configuring a GCP service account with least-privilege roles. - Requires read-only IAM roles and environment variables for operation. - Supports integration health checks and GCP connection verification.
Metadata
Slug auditclaw-gcp
Version 1.0.2
License
All-time Installs 0
Active Installs 0
Total Versions 3
Frequently Asked Questions

What is AuditClaw Gcp?

GCP compliance evidence collection for auditclaw-grc. 12 read-only checks across Cloud Storage, firewall, IAM, logging, KMS, DNS, BigQuery, Compute, and Clou... It is an AI Agent Skill for Claude Code / OpenClaw, with 567 downloads so far.

How do I install AuditClaw Gcp?

Run "/install auditclaw-gcp" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is AuditClaw Gcp free?

Yes, AuditClaw Gcp is completely free (open-source). You can download, install and use it at no cost.

Which platforms does AuditClaw Gcp support?

AuditClaw Gcp is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created AuditClaw Gcp?

It is built and maintained by Nikhil Jathar (@mailnike); the current version is v1.0.2.

More Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191115 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 Comments