SOC 2 Readiness Checker
PassAudited by ClawScan on May 1, 2026.
Overview
This is a coherent instruction-only SOC 2 assessment skill, but users should notice that it uses a third-party API, may handle sensitive security posture details, and requires a ToolWeb API key if used.
This skill appears purpose-aligned and instruction-only. Before using it, verify ToolWeb as the intended provider, use a dedicated API key, and avoid submitting secrets or detailed internal evidence beyond the high-level SOC 2 readiness fields required for the assessment.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Information about the user's cloud services and security controls could reveal internal compliance gaps if shared outside the organization.
The skill documents use of an external API for the SOC 2 assessment, so organization security posture details may be sent to a third-party service.
Base URL: `https://portal.toolweb.in/apis/compliance/soc2-readiness`
Verify the provider and only submit information the organization is comfortable sharing with that service; avoid including secrets, credentials, customer data, or detailed internal configurations.
A ToolWeb API key could authorize usage or billing against the user's account if exposed or reused improperly.
The skill requires a service API key for authentication, which is expected for the external API but still grants access to the user's ToolWeb account or quota.
Authentication: Pass your API key as `X-API-Key` header or `mcp_api_key` argument via MCP.
Use a dedicated, least-privilege API key for this service, keep it out of prompts and logs where possible, monitor usage, and revoke it if no longer needed.
Users have less registry-level provenance information when deciding whether to trust the third-party API with security posture data or an API key.
The registry metadata does not identify a source repository or homepage, even though the skill points users to an external provider API.
Source: unknown; Homepage: none
Confirm the provider identity and terms through trusted channels before sending sensitive organizational information or using a paid API key.