ClawHub

AuditClaw GRC

v1.0.2

AI-native GRC (Governance, Risk, and Compliance) for OpenClaw. 97 actions across 13 frameworks including SOC 2, ISO 27001, HIPAA, GDPR, NIST CSF, PCI DSS, CI...

0· 551·0 current·2 all-time
byNikhil Jathar@mailnike
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
The skill claims to be a GRC assistant and includes database scripts, scanning tools (HTTP headers, SSL), reporting/dashboard generation, drift detection, and credential helpers. The requested binaries (python3 and an optional headless browser) and the included scripts match that purpose. Optional cloud integration environment variables are declared and are appropriate for the described companion skills.
Instruction Scope
SKILL.md instructs running local Python scripts, creating a local SQLite DB in ~/.openclaw/grc, and running scans against user-specified URLs. The scripts shown (check_headers.py, check_ssl.py, drift_detector.py, generate_dashboard.py, auth_provider.py) operate on local DB/evidence paths and perform network calls only to target URLs or to cloud SDKs when configured. Drift detection explicitly restricts file reads to the ~/.openclaw/grc directory. There are no instructions to read or exfiltrate arbitrary system files.
Install Mechanism
SKILL.md contains an install hint (pip install -r scripts/requirements.txt and python3 scripts/init_db.py) and the package includes a local requirements.txt that pins only 'requests'. There is no remote download or third-party package installation beyond this local pip requirement, which is proportionate. Note: registry metadata listed 'No install spec' while SKILL.md includes metadata.install; this metadata inconsistency is harmless but worth noting.
Credentials
No required environment variables are declared. A set of optional env vars are listed (AWS/GCP/Azure/GITHUB/IDP related) and are only needed for their respective companion cloud integrations. The auth provider falls back to standard SDK defaults (env vars, ~/.aws, ADC, etc.), which is expected for cloud integration. The skill also implements a local credential store (credential_store.py) rather than forcing env vars, which fits the stated design. Because these vars enable cloud access, grant them only if you intend to use the companion integrations.
Persistence & Privilege
The skill stores data in the user's home under ~/.openclaw/grc and claims to use owner-only permissions for DB and credential files. It does not request system-wide config changes or always:true inclusion. Post-install DB initialization is normal for such a tool. The storage location and behaviors are consistent with the stated purpose.
Assessment
This package appears coherent for a local GRC tool, but you should take a few precautions before installing: 1) Review the credential_store.py and auth_provider.py files to confirm how secrets are encrypted, saved, and deleted (the code claims owner-only perms and secure deletion—verify those behaviors). 2) Run the skill in a development or isolated account/machine (or container) first, especially before supplying any cloud credentials. 3) When enabling cloud integrations, prefer roles or short-lived credentials (IAM AssumeRole, service account impersonation) rather than long-lived keys. 4) Inspect db_query.py and any omitted scripts for unexpected external network endpoints or logging of secrets. 5) Note the small metadata inconsistency (SKILL.md lists an install step while registry metadata said no install spec) — not a security problem but worth being aware of. If you want higher assurance, provide the full credential_store.py and db_query.py for targeted review or run the unit tests included in the repo in an isolated environment and inspect network activity during test runs.

Like a lobster shell, security has layers — review code before you run it.

auditvk97369v25sptp2d63cvfyc48v9819qvgcompliancevk97369v25sptp2d63cvfyc48v9819qvggdprvk97369v25sptp2d63cvfyc48v9819qvggrcvk97369v25sptp2d63cvfyc48v9819qvghipaavk97369v25sptp2d63cvfyc48v9819qvgiso27001vk97369v25sptp2d63cvfyc48v9819qvglatestvk976nf5cvnz38aj9akmhv8eq5s81880cnistvk97369v25sptp2d63cvfyc48v9819qvgpci-dssvk97369v25sptp2d63cvfyc48v9819qvgsecurityvk97369v25sptp2d63cvfyc48v9819qvgsoc2vk97369v25sptp2d63cvfyc48v9819qvg

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

OSmacOS · Linux
Binspython3
Any binchromium, google-chrome, brave, chromium-browser

Comments