SOC 2 Readiness Checker

Assess your organization's SOC 2 audit readiness with scores, gap analysis, audit type advice, and a prioritized remediation roadmap across all Trust Service...

MIT-0 · Free to use, modify, and redistribute. No attribution required.

⭐ 0 · 21 · 0 current installs · 0 all-time installs

byToolWeb@krishnakumarmahadevan-cmd

MIT-0

Security Scan

VirusTotal

Benign

View report →

OpenClaw

Suspicious

medium confidence

ℹ

Purpose & Capability

The described capability (assessing SOC 2 readiness) matches the SKILL.md content and example input/output. However, the SKILL.md expects use of an external API (portal.toolweb.in) and an API key for authentication, yet the skill package declares no required environment variables or primary credential. That omission is inconsistent with the skill's stated runtime behavior.

Instruction Scope

The instructions direct the agent to POST assessment data to https://portal.toolweb.in/apis/compliance/soc2-readiness and to authenticate with an API key (X-API-Key or mcp_api_key). The assessment input contains organization-level controls which can be sensitive. The SKILL.md therefore causes external transmission of organizational data; the skill does not declare constraints on what may be sent nor any local-only mode. There is no explicit instruction about redacting PII or minimizing data sent.

✓

Install Mechanism

This is an instruction-only skill with no install spec and no code files, which reduces disk-write risk. No download URLs or package installs are present.

Credentials

The API reference requires an API key, but the skill metadata declares no required env vars or primary credential. Requesting (or implicitly requiring) an API key for an external service without declaring it is disproportionate and a provenance/visibility issue: users won't be prompted to supply or review the credential requirement when installing. Additionally, the skill would accept and transmit many organization-specific fields (cloud services, controls, backups, etc.), which are sensitive — that level of access should be explicit and justified.

✓

Persistence & Privilege

The skill has not requested always:true, does not declare persistent system installs, and is user-invocable only. Autonomous invocation is allowed by platform default but not excessive here. No modifications to other skills or global agent settings are indicated.

What to consider before installing

This skill appears to rely on an external service (portal.toolweb.in) and requires an API key to run, but the package metadata does not declare that credential — that's an inconsistency. Before installing or using it: 1) Verify the publisher and the portal.toolweb.in domain (TLS cert, company/legal info, privacy policy, and reputation). 2) Confirm where assessment data is sent, how long it is retained, and whether it will be shared with third parties. 3) Insist the skill declare required env vars (e.g., TOOLWEB_API_KEY) so credential usage is visible at install time. 4) Test with non-sensitive/dummy data first. 5) If you must supply real organisation data, provision a scoped API key with minimal privileges and short TTL, and ensure communication is over HTTPS. 6) If you cannot verify the service provenance or data handling, prefer an offline/local assessment workflow or a vetted vendor.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.0.0

Download zip

latestvk97da9mtzs0w7c9kz70c1kq17x836kd2

License

MIT-0

Free to use, modify, and redistribute. No attribution required.

Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

SOC 2 Readiness Checker

Evaluate your organization's readiness for a SOC 2 Type I or Type II audit across all five Trust Services Criteria — Security, Availability, Processing Integrity, Confidentiality, and Privacy. Provide your current control posture and get back a readiness score, gap analysis, and a prioritized remediation roadmap to achieve audit-ready status.

Usage

{
  "tool": "soc2_readiness_checker",
  "input": {
    "company_size": "Medium",
    "industry": "SaaS / Technology",
    "cloud_services": ["AWS", "Google Workspace", "Snowflake", "Salesforce"],
    "has_policies": true,
    "access_controls": true,
    "encryption_at_rest": true,
    "encryption_in_transit": true,
    "backup_procedures": true,
    "incident_response_plan": false,
    "vendor_management": false,
    "employee_training": false,
    "logging_monitoring": true,
    "change_management": false
  }
}

Parameters

All fields are required.

Company Profile

Field	Type	Description
`company_size`	string	`Small`, `Medium`, `Large`, `Enterprise`
`industry`	string	Industry vertical (e.g., `SaaS / Technology`, `Financial Services`, `Healthcare`, `E-commerce`)
`cloud_services`	array of strings	Cloud platforms and SaaS tools in use. Examples: `AWS`, `Azure`, `GCP`, `Google Workspace`, `Microsoft 365`, `Snowflake`, `Salesforce`, `Okta`

Control Posture (boolean flags)

Field	Type	Description
`has_policies`	boolean	Formal information security policies documented and in effect
`access_controls`	boolean	Role-based access control and least-privilege enforced
`encryption_at_rest`	boolean	Data encrypted at rest across storage systems
`encryption_in_transit`	boolean	Data encrypted in transit (TLS/HTTPS enforced)
`backup_procedures`	boolean	Documented and tested data backup and recovery procedures
`incident_response_plan`	boolean	Formal incident response plan exists and has been tested
`vendor_management`	boolean	Third-party vendor risk management program in place
`employee_training`	boolean	Regular security awareness training conducted for all staff
`logging_monitoring`	boolean	Centralized logging and real-time security monitoring active
`change_management`	boolean	Formal change management process for systems and infrastructure

What You Get

Overall SOC 2 readiness score — percentage score with readiness tier (Not Ready / Partially Ready / Nearly Ready / Audit Ready)
Trust Services Criteria breakdown — gap analysis per TSC: Security (CC), Availability (A), Processing Integrity (PI), Confidentiality (C), Privacy (P)
Control gap list — exactly which controls are missing or insufficient
Audit type recommendation — whether to pursue Type I first or go directly to Type II
Prioritized remediation roadmap — Immediate (0–30 days), Short-term (30–90 days), Long-term (90+ days)
Estimated time to audit readiness — realistic timeline based on current posture
Evidence collection checklist — what artifacts auditors will request

Example Output

{
  "company": "Acme SaaS Inc.",
  "overall_readiness_score": 61,
  "readiness_tier": "Partially Ready",
  "audit_type_recommendation": "Achieve Type I first (target: 90 days), then Type II",
  "estimated_time_to_ready": "3-4 months",
  "tsc_scores": {
    "security_cc": { "score": 70, "gaps": 2 },
    "availability": { "score": 80, "gaps": 1 },
    "processing_integrity": { "score": 50, "gaps": 2 },
    "confidentiality": { "score": 60, "gaps": 1 },
    "privacy": { "score": 40, "gaps": 2 }
  },
  "critical_gaps": [
    "No incident response plan — CC7.3, CC7.4 non-compliant",
    "No vendor management program — CC9.2 non-compliant",
    "No security awareness training — CC1.4 non-compliant",
    "No change management process — CC8.1 non-compliant"
  ],
  "immediate_actions": [
    "Draft and approve Incident Response Plan (14 days)",
    "Implement vendor risk questionnaire for all third parties (21 days)",
    "Schedule and complete first security awareness training cycle (30 days)"
  ],
  "evidence_checklist": [
    "Access control configuration screenshots",
    "Encryption settings documentation",
    "Backup test results (last 90 days)",
    "Security policy sign-off records",
    "Audit log samples"
  ]
}

API Reference

Base URL: https://portal.toolweb.in/apis/compliance/soc2-readiness

Endpoint	Method	Description
`/soc2-assessment`	POST	Run full SOC 2 readiness assessment

Authentication: Pass your API key as X-API-Key header or mcp_api_key argument via MCP.

Pricing

Plan	Daily Limit	Monthly Limit	Price
Free	5 / day	50 / month	$0
Developer	20 / day	500 / month	$39
Professional	200 / day	5,000 / month	$99
Enterprise	100,000 / day	1,000,000 / month	$299

About

ToolWeb.in — 200+ security APIs, CISSP & CISM certified, built for enterprise compliance practitioners.

Platforms: Pay-per-run · API Gateway · MCP Server · OpenClaw · RapidAPI · YouTube

Files

1 total

Select a file

Select a file to preview.

Comments

Loading comments…