AuditClaw Idp

v1.0.2

Identity provider compliance checks for auditclaw-grc. 8 read-only checks across Google Workspace (MFA, admin audit, inactive users, passwords) and Okta (MFA...

⭐ 0· 550·0 current·0 all-time

byNikhil Jathar@mailnike

Security Scan

VirusTotal

Benign

View report →

OpenClaw

Benign

high confidence

✓

Purpose & Capability

Name/description claim read-only Google Workspace and Okta checks; code implements exactly those checks and only asks (optionally) for Google service account JSON + admin email and Okta org URL + API token. Required binary (python3) and Python dependencies match the implementation. Minor mismatch: SKILL.md mentions an extra read-only reports scope but the build function uses the directory.users readonly scope; this is an implementation detail, not a capability mismatch.

ℹ

Instruction Scope

Runtime instructions and idp_evidence.py are explicit: call provider APIs, assemble findings, and store evidence in the shared GRC DB (~/.openclaw/grc/compliance.sqlite). The script tries to invoke auditclaw-grc's db_query.py (subprocess) if present, and falls back to direct SQLite INSERT into the DB. These behaviors are coherent with the documented evidence-storage model but mean the skill will read environment variables, potentially read a local service-account JSON file path, and write into the shared GRC DB — all expected for this integration.

✓

Install Mechanism

No remote downloads or installers in the registry entry; the skill is instruction/code-only. Dependencies are standard Python packages pinned in scripts/requirements.txt (google-api-python-client, google-auth, requests). Installation via 'pip install -r scripts/requirements.txt' is documented. No high-risk external downloads or extract steps were observed.

✓

Credentials

Requested credentials (Google SA key path + admin email; Okta org URL + API token) are proportional to the stated checks. The skill does not request unrelated secrets or broad OS-level credentials. Environment variables are optional (providers can be skipped).

ℹ

Persistence & Privilege

The skill does write to a shared GRC SQLite DB and updates an 'integrations' record; it also attempts to execute a db_query.py script if available. always:false and no automatic elevation is requested. Writing into the shared DB is expected for this integration, but it does imply trust in the skill and the database path provided; the skill does not modify other skills or system configuration beyond the GRC DB.

Assessment

This skill appears to do what it claims: read-only audits of Google Workspace and Okta and storing results in the AuditClaw GRC database. Before installing or running it: 1) Ensure you only provide a Google service account with the minimal domain‑wide delegation scopes (and the correct admin_email) and an Okta API token created by a read-only admin; avoid giving more-privileged keys. 2) Confirm the target DB path (~/.openclaw/grc/compliance.sqlite) is the intended AuditClaw GRC database and that you trust its schema/backups, because the skill will insert rows directly if the db_query helper is absent. 3) Review the local auditclaw-grc/scripts/db_query.py on your system (if present) since the skill will invoke it via subprocess; ensure it's the legitimate script. 4) Verify file permissions for the service-account JSON and the DB so secrets and evidence are protected. These are expected operational checks, not evidence of malicious behavior.

Like a lobster shell, security has layers — review code before you run it.

Runtime requirements

Binspython3

latestvk9723w5902wpd4wkqner6mpxns819hd8

550downloads

0stars

3versions

Updated 1mo ago

v1.0.2

MIT-0

AuditClaw IDP

Companion skill for auditclaw-grc. Collects compliance evidence from Google Workspace and Okta identity providers using read-only API calls.

8 checks | Read-only API access | Evidence stored in shared GRC database

Security Model

Read-only access: Google Workspace uses admin.directory.user.readonly scope only. Okta uses okta.users.read, okta.factors.read, okta.policies.read scopes only. No write/modify permissions.
Credentials: Uses standard env vars for each provider. No credentials stored by this skill.
Dependencies: Google API client + requests (all pinned in requirements.txt)
Data flow: Check results stored as evidence in ~/.openclaw/grc/compliance.sqlite via auditclaw-grc

Prerequisites

Google Workspace: Service account JSON with domain-wide delegation, admin email for impersonation
Okta: API token (SSWS) with read-only scopes
pip install -r scripts/requirements.txt
auditclaw-grc skill installed and initialized

Environment Variables

Google Workspace (optional; skip if not configured)

GOOGLE_WORKSPACE_SA_KEY: Path to service account JSON file
GOOGLE_WORKSPACE_ADMIN_EMAIL: Super admin email to impersonate

Okta (optional; skip if not configured)

OKTA_ORG_URL: Okta organization URL (e.g., https://mycompany.okta.com)
OKTA_API_TOKEN: Okta API token

Commands

"Run IDP evidence sweep": Run all checks for configured providers
"Check Google Workspace MFA": Run Google MFA check
"Check Okta password policies": Run Okta password policy check
"Show IDP integration health": Last sync, errors, evidence count

Usage

All evidence is stored in the shared GRC database at ~/.openclaw/grc/compliance.sqlite via the auditclaw-grc skill's db_query.py script.

To run a full evidence sweep (all configured providers):

python3 scripts/idp_evidence.py --db-path ~/.openclaw/grc/compliance.sqlite --all

To run checks for a specific provider:

python3 scripts/idp_evidence.py --db-path ~/.openclaw/grc/compliance.sqlite --provider google
python3 scripts/idp_evidence.py --db-path ~/.openclaw/grc/compliance.sqlite --provider okta

To run specific checks:

python3 scripts/idp_evidence.py --db-path ~/.openclaw/grc/compliance.sqlite --checks google_mfa,okta_mfa

Check Categories (8)

Check	Provider	What It Verifies
google_mfa	Google Workspace	All active users have 2SV enrolled + enforced
google_admins	Google Workspace	Super admin count 2-4, all with 2SV
google_inactive	Google Workspace	No active users with lastLoginTime > 90 days
google_passwords	Google Workspace	All users have passwordStrength == "STRONG"
okta_mfa	Okta	All active users have at least 1 MFA factor enrolled
okta_passwords	Okta	Password policy: minLength>=12, history>=5, maxAttempts<=5, maxAge<=90
okta_inactive	Okta	No active users with lastLogin > 90 days
okta_sessions	Okta	MFA required, session lifetime <= 12h, idle <= 1h

Evidence Storage

Each check produces evidence items stored with:

source: "idp"
type: "automated"
control_id: Mapped to relevant SOC2/ISO/NIST/HIPAA controls
description: Human-readable finding summary
file_content: JSON details of the check result

Setup Guide

AuditClaw supports two identity providers. Configure one or both.

Google Workspace Setup

Step 1: Enable Admin SDK API Go to Google Cloud Console → APIs & Services → Library → Enable "Admin SDK API"

Step 2: Create Service Account IAM & Admin → Service Accounts → Create. Enable domain-wide delegation.

Step 3: Grant OAuth Scopes In Google Admin → Security → API controls → Domain-wide delegation, add the service account with:

https://www.googleapis.com/auth/admin.directory.user.readonly
https://www.googleapis.com/auth/admin.reports.audit.readonly

Step 4: Set Environment Variables

GOOGLE_WORKSPACE_SA_KEY=/path/to/service-account.json
GOOGLE_WORKSPACE_ADMIN_EMAIL=admin@yourdomain.com

Okta Setup

Step 1: Create API Token Okta Admin → Security → API → Tokens → Create Token. Name: auditclaw-scanner

Step 2: Required Permissions The token inherits the creating admin's permissions. Needs read access to: users, factors, policies. Scopes: okta.users.read, okta.factors.read, okta.policies.read

Step 3: Set Environment Variables

OKTA_ORG_URL=https://mycompany.okta.com
OKTA_API_TOKEN=your-token-here

Verify Connection

Run: python3 {baseDir}/scripts/idp_evidence.py --test-connection

The exact permissions are documented in scripts/idp-permissions.json. Show with: python3 {baseDir}/../auditclaw-grc/scripts/db_query.py --action show-policy --provider idp

Comments

Loading comments...