ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Vendor Risk Assessment

v1.0.0

Assess third-party vendor risk for AI and SaaS products. Evaluates security posture, data handling, compliance, financial stability, and operational resilien...

0· 379·0 current·0 all-time
by@1kalin
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name, description, and SKILL.md focus on researching and scoring vendors across security, privacy, compliance, financial, operational, and contractual dimensions. There are no declared env vars, binaries, or install steps that would be unrelated to that research task.
Instruction Scope
The runtime instructions direct the agent to 'research' the vendor (website, certifications, status pages, breach history, Crunchbase/LinkedIn, customer reviews). That is consistent with the purpose, but the guidance is open-ended: it implicitly requires web access and judgement about what sources to trust. It does not instruct the agent to read local files, access unspecified credentials, or transmit data to unexpected endpoints, but the open-ended research step could lead an agent to contact external services or include harvested public information in reports.
Install Mechanism
Instruction-only skill with no install spec, no code files, and nothing will be written to disk by the skill itself. This is the lowest-risk install profile.
Credentials
No environment variables, credentials, or config paths are required. The assessment relies on public research and user-supplied vendor details, which is proportionate to the stated functionality.
Persistence & Privilege
always is false and the skill does not request permanent system presence or modify other skills. Model invocation is allowed by default (normal for skills) but not combined with any additional privileged access.
Assessment
This skill appears coherent and limited to vendor research/reporting. Before installing or using it, consider: (1) Do not paste or upload confidential vendor contracts, credentials, or screenshots containing secrets into the agent — only provide non-sensitive vendor metadata. (2) The agent will perform open-ended web research (public sites, Crunchbase/LinkedIn, status pages), so confirm you are comfortable with public-source queries. (3) Verify any critical findings by obtaining vendor-supplied artifacts (e.g., SOC2 report) directly rather than relying solely on automated summaries. (4) If you need the agent to fetch private documents, require explicit controls (scoped, temporary credentials) and audit logging. Overall this skill is internally consistent with its purpose, but treat outputs as advisory and validate high-impact decisions with primary evidence.

Like a lobster shell, security has layers — review code before you run it.

latestvk974pgv7df61m2ahgq11vne2c181rky2

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

Vendor Risk Assessment

Evaluate any AI/SaaS vendor across 6 risk dimensions. Outputs a scored report with go/no-go recommendation.

When to Use

  • Onboarding a new SaaS or AI vendor
  • Annual vendor review cycle
  • Evaluating build-vs-buy decisions
  • Due diligence for partnerships or acquisitions
  • Compliance requirements (SOC2, ISO 27001, GDPR)

How to Use

The user provides vendor details (name, product, website, any available documentation). The agent researches and scores the vendor across 6 dimensions.

Input Format

Vendor: [Company Name]
Product: [Product/Service Name]
Website: [URL]
Use Case: [What you'd use it for]
Data Sensitivity: [low/medium/high/critical]
Additional Context: [Any docs, certifications, or concerns]

Assessment Framework

6 Risk Dimensions (each scored 1-10)

1. Security Posture

  • SOC2 Type II certification?
  • Penetration testing cadence
  • Encryption (at rest + in transit)
  • Access controls and authentication
  • Incident response plan
  • Bug bounty program

2. Data Handling & Privacy

  • Data residency and sovereignty
  • Data retention and deletion policies
  • Sub-processor transparency
  • GDPR/CCPA compliance
  • Data portability (can you get your data out?)
  • AI training opt-out policies

3. Compliance & Certifications

  • SOC2, ISO 27001, HIPAA, FedRAMP
  • Industry-specific (PCI-DSS, HITRUST, etc.)
  • AI-specific (EU AI Act readiness, NIST AI RMF)
  • Audit frequency and transparency
  • Regulatory track record

4. Financial Stability

  • Funding stage and runway
  • Revenue indicators (public or estimated)
  • Customer concentration risk
  • Acquisition risk
  • Pricing stability history

5. Operational Resilience

  • Uptime SLA and historical performance
  • Disaster recovery plan
  • Multi-region availability
  • Dependency on single cloud provider
  • Support responsiveness and escalation paths
  • Change management process

6. Contractual Terms

  • Termination and exit clauses
  • Liability caps and indemnification
  • IP ownership clarity
  • Auto-renewal traps
  • Price increase limitations
  • SLA breach remedies

Output Format

# Vendor Risk Assessment: [Vendor Name]
**Date:** YYYY-MM-DD
**Assessor:** AI Agent (AfrexAI)
**Data Sensitivity Level:** [low/medium/high/critical]

## Overall Risk Score: [X/10] — [LOW/MEDIUM/HIGH/CRITICAL]

## Dimension Scores
| Dimension | Score | Risk Level | Key Finding |
|-----------|-------|------------|-------------|
| Security Posture | X/10 | LOW/MED/HIGH | ... |
| Data Handling | X/10 | LOW/MED/HIGH | ... |
| Compliance | X/10 | LOW/MED/HIGH | ... |
| Financial Stability | X/10 | LOW/MED/HIGH | ... |
| Operational Resilience | X/10 | LOW/MED/HIGH | ... |
| Contractual Terms | X/10 | LOW/MED/HIGH | ... |

## Recommendation: [APPROVE / APPROVE WITH CONDITIONS / REJECT]

## Critical Findings
- [Finding 1]
- [Finding 2]

## Mitigation Requirements (if Approve with Conditions)
1. [Requirement 1 — deadline]
2. [Requirement 2 — deadline]

## Research Sources
- [Source 1]
- [Source 2]

Scoring Guide

  • 9-10: Excellent — minimal risk, enterprise-grade
  • 7-8: Good — acceptable for most use cases
  • 5-6: Moderate — proceed with caution, mitigations needed
  • 3-4: Poor — significant concerns, conditional approval only
  • 1-2: Critical — recommend rejection or major remediation

Overall Risk Calculation

  • Average of 6 dimensions, weighted by data sensitivity:
    • Low sensitivity: equal weights
    • Medium: Security 2x, Data 2x
    • High: Security 3x, Data 3x, Compliance 2x
    • Critical: Security 4x, Data 4x, Compliance 3x, Financial 2x

Research Process

  1. Check vendor website for security/compliance pages
  2. Search for SOC2/ISO certifications and trust pages
  3. Check status pages for uptime history
  4. Search for breach history or security incidents
  5. Review pricing page for contract terms indicators
  6. Check Crunchbase/LinkedIn for financial stability signals
  7. Search for customer reviews mentioning reliability/support

Pro Tips

  • Request the vendor's SOC2 Type II report directly — if they hesitate, that's a signal
  • Check their status page history (statuspage.io, etc.) for real uptime data
  • For AI vendors specifically: ask about model training on your data, output ownership, and hallucination liability
  • Compare their security page to competitors — vague = red flag

Need help managing vendor risk across your entire stack? AfrexAI builds autonomous AI agents that monitor vendors continuously — not just at onboarding. Visit afrexai.com or book a call: calendly.com/cbeckford-afrexai/30min

Files

1 total
Select a file
Select a file to preview.

Comments

Loading comments…