Compliance Checker

v1.1.0

Policy-based compliance assessment for OpenClaw skills. Define security policies, assess skills against them, track violations, and generate compliance repor...

⭐ 0· 707·0 current·0 all-time

byArcSelf@trypto1019

Security Scan

VirusTotal

Benign

View report →

OpenClaw

Benign

high confidence

✓

Purpose & Capability

Name/description match the actual behavior: the script inspects skill files under ~/.openclaw/skills, applies policy checks, and stores assessments locally. Only python3 is required, which is proportionate to the stated purpose.

ℹ

Instruction Scope

Runtime instructions are limited to creating policies, checking skill code, invoking local scanner/verifier scripts, and writing JSON under ~/.openclaw/compliance. Two minor notes: pattern checks are simple substring searches across code+SKILL.md (which can yield false positives if docs mention flagged terms), and the SKILL.md refers to 'arc-skill-scanner'/'arc-trust-verifier' while checker.py looks for 'skill-scanner'/'trust-verifier' script paths (naming mismatch may require the scanner/verifier to be installed under expected names).

✓

Install Mechanism

No install spec or remote downloads; the skill is instruction-only with an included Python script. Nothing is fetched from external URLs or written to system locations beyond the user's home directory.

✓

Credentials

The skill requests no environment variables or credentials and only reads files from ~/.openclaw/skills and writes to ~/.openclaw/compliance, which is appropriate for a local compliance tool.

✓

Persistence & Privilege

always is false; the skill does not request permanent/global privileges or modify other skills' configs. It stores its own policy/assessment artifacts under its own directory.

Assessment

This appears to be a local compliance utility and is coherent with its description. Before installing, review scripts/checker.py (already included) to confirm naming/paths for your scanner and trust-verifier; expect it to read all skill files under ~/.openclaw/skills and to create JSON records in ~/.openclaw/compliance. If you rely on external 'arc-skill-scanner' or 'arc-trust-verifier', ensure those tools are installed where checker.py expects them (or adjust paths). Note that pattern checks are simple substring matches and may flag documentation or benign code; review flagged findings manually before acting. Finally, because the tool invokes other local scanner/verifier scripts, validate those tools separately (they will run via subprocess and could broaden the trust surface).

Like a lobster shell, security has layers — review code before you run it.

Runtime requirements

🛡️ Clawdis

OSmacOS · Linux

Binspython3

latestvk976zbx699axg1hqtnrrggxvw981awzx

707downloads

0stars

1versions

Updated 1mo ago

v1.1.0

MIT-0

macOS, Linux

Compliance Checker

Assess OpenClaw skills against defined security policies. Track compliance posture across your skill inventory with framework-mapped findings and remediation tracking.

Why This Exists

Security scanners find vulnerabilities. Trust verifiers check provenance. But neither answers: "Does this skill meet our security policy?" Compliance Checker bridges the gap — define what "compliant" means for your environment, then assess every skill against those rules.

Quick Start

Define a policy

python3 {baseDir}/scripts/checker.py policy create --name "production" --description "Production deployment requirements"

Add rules to the policy

python3 {baseDir}/scripts/checker.py policy add-rule --policy "production" \
  --rule "no-critical-findings" \
  --description "No CRITICAL findings from skill scanner" \
  --severity critical

python3 {baseDir}/scripts/checker.py policy add-rule --policy "production" \
  --rule "trust-verified" \
  --description "Must have VERIFIED or TRUSTED trust level" \
  --severity high

python3 {baseDir}/scripts/checker.py policy add-rule --policy "production" \
  --rule "no-network-calls" \
  --description "No unauthorized network calls in scripts" \
  --severity high

python3 {baseDir}/scripts/checker.py policy add-rule --policy "production" \
  --rule "no-shell-exec" \
  --description "No shell=True or subprocess calls" \
  --severity medium

python3 {baseDir}/scripts/checker.py policy add-rule --policy "production" \
  --rule "has-checksum" \
  --description "Must have SHA-256 checksums for all scripts" \
  --severity medium

Assess a skill against a policy

python3 {baseDir}/scripts/checker.py assess --skill "arc-budget-tracker" --policy "production"

Assess all installed skills

python3 {baseDir}/scripts/checker.py assess-all --policy "production"

View compliance status

python3 {baseDir}/scripts/checker.py status --policy "production"

Generate compliance report

python3 {baseDir}/scripts/checker.py report --policy "production" --format json
python3 {baseDir}/scripts/checker.py report --policy "production" --format text

Built-in Rules

The following rules are available out of the box:

Rule	What it checks	Framework mapping
`no-critical-findings`	No CRITICAL findings from scanner	CIS Control 16, OWASP A06
`no-high-findings`	No HIGH findings from scanner	CIS Control 16, OWASP A06
`trust-verified`	Trust level is VERIFIED or TRUSTED	CIS Control 2
`no-network-calls`	No unauthorized network requests	CIS Control 9, OWASP A10
`no-shell-exec`	No shell execution patterns	CIS Control 2, OWASP A03
`no-eval-exec`	No eval/exec patterns	OWASP A03
`has-checksum`	SHA-256 checksums for all files	CIS Control 2
`no-env-access`	No environment variable access	CIS Control 3
`no-data-exfil`	No data exfiltration patterns	CIS Control 3, CIS Control 13
`version-pinned`	All dependencies version-pinned	CIS Control 2

Compliance Status

Each skill-policy assessment produces one of:

COMPLIANT — Passes all rules in the policy
NON-COMPLIANT — Fails one or more rules
EXEMPTED — Has approved exemptions for all failures
UNKNOWN — Not yet assessed

Exemptions

Sometimes a skill legitimately needs to violate a rule (e.g., a network monitoring skill needs network access). Record exemptions with justification:

python3 {baseDir}/scripts/checker.py exempt --skill "arc-skill-scanner" \
  --rule "no-network-calls" \
  --reason "Scanner needs network access to check URLs against blocklists" \
  --approved-by "arc"

Remediation Tracking

When a skill fails compliance, track the fix:

python3 {baseDir}/scripts/checker.py remediate --skill "some-skill" \
  --rule "no-shell-exec" \
  --action "Replaced subprocess.call with safer alternative" \
  --status fixed

Storage

Compliance data is stored in ~/.openclaw/compliance/:

policies/ — Policy definitions (JSON)
assessments/ — Assessment results per skill (JSON)
exemptions/ — Approved exemptions (JSON)
remediations/ — Remediation tracking (JSON)

Integration

Compliance Checker reads output from:

arc-skill-scanner — vulnerability findings
arc-trust-verifier — trust levels and attestations

Run a full pipeline:

# Scan → verify trust → assess compliance
python3 {baseDir}/scripts/checker.py pipeline --skill "some-skill" --policy "production"

Comments

Loading comments...