AI Compliance

ReviewAudited by ClawScan on May 10, 2026.

Overview

This is mostly a documentation-only AI compliance helper, but it bundles company-specific security/compliance details and log-review instructions that should be checked before use.

Before installing, verify whether this skill is intended for your organization. If not, remove or rewrite the fi.com and webhook_events sections, and do not let the agent inspect DLP logs or raw prompts unless you have explicit authorization and a redaction process.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Medium

#ASI06: Memory and Context Poisoning

What this means

The agent may repeat or rely on these internal/current claims in unrelated assessments, exposing sensitive security posture or producing misleading advice.

Why it was flagged

The reference file stores named-firm, time-sensitive observations about sensitive data and credential/token exposure as persistent context, not placeholders.

Skill content

## fi.com Specific Guidance ... Based on current webhook_events data, the following are **actively being entered** into Perplexity and ChatGPT ... | Credentials/passwords | ... | GitHub tokens |

Recommendation

Remove or replace firm-specific telemetry with placeholders, or clearly mark it as private/internal and require fresh user-supplied, authorized data before using it.

Low

#ASI02: Tool Misuse and Exploitation

What this means

If followed too broadly, raw prompts could reveal PII, confidential data, or secrets.

Why it was flagged

The playbook expects access to raw AI prompts/DLP logs, which are highly sensitive, but it is presented as incident-response guidance rather than automatic execution.

Skill content

Pull raw prompt from webhook_events or DLP logs if available ... Check webhook_events for similar events from same user or data type

Recommendation

Use only with explicit authorization, minimize queries, redact raw prompts in outputs, and keep audit logs.

Low

#ASI05: Unexpected Code Execution

What this means

Running it blindly could create or modify protected files or apply the wrong local account/permissions.

Why it was flagged

A remediation example includes privileged shell commands and a local user-specific ownership change; it is not an install step and is user-directed.

Skill content

sudo mkdir -p /etc/openclaw ... sudo nano /etc/openclaw/secrets.env ... sudo chown bcaddy:bcaddy /etc/openclaw/secrets.env

Recommendation

Do not run without environment review; adapt ownership and paths, and prefer a managed secrets vault where possible.