AuditClaw Gcp
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: auditclaw-gcp Version: 1.0.2 The OpenClaw AgentSkills bundle 'auditclaw-gcp' is designed for GCP compliance evidence collection, performing read-only checks across various GCP services. All interactions with GCP APIs are read-only, and results are stored locally in `~/.openclaw/grc/compliance.sqlite`. The skill uses standard Google Cloud SDKs, with dependencies pinned in `scripts/requirements.txt`. While `scripts/gcp_evidence.py` uses `subprocess.run` for inter-skill communication with `db_query.py` (from `auditclaw-grc`), the arguments are constructed from internal data and JSON-encoded, mitigating direct shell injection risks from this skill. There is no evidence of data exfiltration, malicious execution, persistence mechanisms, obfuscation, or prompt injection attempts in `SKILL.md` or `README.md`. The requested IAM roles are explicitly read-only, aligning with the stated purpose.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The skill can read a wide range of GCP project metadata, IAM/security settings, resource names, and audit-relevant configuration, though the provided code shows read-only GCP API usage.
The skill requires GCP credentials and project-level read roles, including broad viewer and security-reviewer access, to inspect cloud configuration.
**Credentials**: Uses standard GCP credential chain (`GOOGLE_APPLICATION_CREDENTIALS` or `gcloud auth`). ... Required IAM Roles ... `roles/viewer` ... `roles/iam.securityReviewer`
Use a dedicated service account limited to the intended project, grant only the documented read-only roles, store the JSON key securely, and rotate or revoke it when no longer needed.
The local GRC database may retain sensitive cloud security evidence such as resource names, service account emails, firewall findings, and configuration details that other GRC workflows may later read.
The orchestrator stores detailed check results, including JSON evidence, in a persistent local GRC SQLite database.
DEFAULT_DB_PATH = os.path.expanduser("~/.openclaw/grc/compliance.sqlite") ... "--file-content", json.dumps(result, default=str)Protect the GRC database file, avoid running the sweep against unintended projects, and review or remove stored evidence before sharing backups or workspaces.
Running this skill may also run code from the companion auditclaw-grc skill, which is expected for the integration but means both skills must be trusted.
When the companion auditclaw-grc helper is present, this skill executes that local db_query.py script to add evidence to the shared database.
cmd = [sys.executable, db_query, "--db-path", db_path, "--action", "add-evidence", ...] ... subprocess.run(cmd, capture_output=True, text=True)
Install auditclaw-grc from a trusted source and keep both skills updated; if desired, review the companion db_query.py before running evidence collection.