AuditClaw Gcp
PassAudited by ClawScan on May 1, 2026.
Overview
This appears to be a coherent read-only GCP audit evidence collector, but it needs broad GCP read access and stores cloud security findings in a local GRC database.
Before installing, confirm you want this skill to read audit-relevant configuration from the selected GCP project and store the results locally. Prefer a dedicated read-only service account, protect the service account JSON key and the compliance.sqlite database, and verify GCP_PROJECT_ID points to the intended project.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The skill can read a wide range of GCP project metadata, IAM/security settings, resource names, and audit-relevant configuration, though the provided code shows read-only GCP API usage.
The skill requires GCP credentials and project-level read roles, including broad viewer and security-reviewer access, to inspect cloud configuration.
**Credentials**: Uses standard GCP credential chain (`GOOGLE_APPLICATION_CREDENTIALS` or `gcloud auth`). ... Required IAM Roles ... `roles/viewer` ... `roles/iam.securityReviewer`
Use a dedicated service account limited to the intended project, grant only the documented read-only roles, store the JSON key securely, and rotate or revoke it when no longer needed.
The local GRC database may retain sensitive cloud security evidence such as resource names, service account emails, firewall findings, and configuration details that other GRC workflows may later read.
The orchestrator stores detailed check results, including JSON evidence, in a persistent local GRC SQLite database.
DEFAULT_DB_PATH = os.path.expanduser("~/.openclaw/grc/compliance.sqlite") ... "--file-content", json.dumps(result, default=str)Protect the GRC database file, avoid running the sweep against unintended projects, and review or remove stored evidence before sharing backups or workspaces.
Running this skill may also run code from the companion auditclaw-grc skill, which is expected for the integration but means both skills must be trusted.
When the companion auditclaw-grc helper is present, this skill executes that local db_query.py script to add evidence to the shared database.
cmd = [sys.executable, db_query, "--db-path", db_path, "--action", "add-evidence", ...] ... subprocess.run(cmd, capture_output=True, text=True)
Install auditclaw-grc from a trusted source and keep both skills updated; if desired, review the companion db_query.py before running evidence collection.