ClawHub

Control Assessment

v0.1.3

Evaluate individual framework controls against organizational documentation with evidence extraction, severity classification, and remediation recommendations.

0· 244·0 current·0 all-time
by@dangsllc
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The skill claims to evaluate controls against organizational documentation and its instructions require reading and mapping document sections, extracting quotes, classifying gaps, and producing remediation recommendations. The allowed tools (Read, Glob, Grep, WebFetch) and absence of required env vars or installs align with that purpose.
Instruction Scope
The SKILL.md explicitly instructs the agent to read, search, and extract direct quotes from the provided documents and to map sections to controls. This is appropriate for the task, but it means the skill will access any documents supplied and extract potentially sensitive text. The document does not instruct the agent to transmit data to external endpoints, although WebFetch is allowed (likely for fetching control definitions or guidance).
Install Mechanism
Instruction-only skill with no install spec and no code files. This has the lowest install risk — nothing is downloaded or written to disk by an installer.
Credentials
No environment variables, credentials, or config paths are requested. The absence of external secrets or unrelated credentials is proportionate to the stated purpose.
Persistence & Privilege
The skill is not marked always:true and does not request persistent system-level privileges. Autonomous invocation is allowed by default but not excessive here; nothing indicates the skill modifies other skills or system settings.
Assessment
This skill is coherent and appears to do what it says: it will read the documents you give it and extract quotes and mappings to controls. Before installing or using it, (1) only provide documents you are comfortable having read and processed (they may contain sensitive quotes), (2) confirm whether network access (WebFetch) is desirable — if you don't want any web fetches, restrict that capability, and (3) check how the agent will output or store the JSON results (ensure outputs are kept in a location and workflow you trust). If you need automatic internet posting of results, require an explicit review step first.

Like a lobster shell, security has layers — review code before you run it.

latestvk976nkk9qc05myg4zc1nr9xv9582a5gv

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments