Compliance Analyzer
Map AWS environment against CIS, SOC 2, HIPAA, or PCI-DSS controls with prioritized remediation
MIT-0 · Free to use, modify, and redistribute. No attribution required.
⭐ 0 · 180 · 0 current installs · 0 all-time installs
byAnmol Nagpal@anmolnagpal
MIT-0
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
The name/description (AWS compliance mapping) matches the runtime instructions: it asks users to supply AWS Config / Security Hub / resource configuration exports and maps findings to compliance controls. There are no unrelated required binaries, environment variables, or config paths listed. Header items like 'tools: claude, bash' are incidental but do not contradict the stated purpose.
Instruction Scope
The SKILL.md is instruction-only and instructs the agent to ask the user to provide CLI output files (exact aws cli commands are given) and to never request credentials. This is appropriate for an analysis skill, but it relies on the user pasting potentially sensitive exports. The header's 'bash' tool could be ambiguous in some runtimes (it suggests shell capability) but the skill explicitly states it will not execute AWS CLI itself; still, confirm the agent runtime will not execute commands on your behalf.
Install Mechanism
No install spec and no code files — lowest-risk pattern for a skill (instruction-only). Nothing is downloaded or written to disk by the skill itself.
Credentials
The skill requests no environment variables or credentials. It provides a minimal, read-only IAM policy for the user to run the suggested CLI commands locally. However, user-provided exports may contain sensitive identifiers or secrets if they inadvertently include them, so the requirement 'user provides exported data' carries data-exfiltration risk if the user pastes unredacted outputs.
Persistence & Privilege
always is false, the skill does not request persistent privileges or system-wide config changes. It does not attempt to modify other skills or agent-wide settings.
Assessment
This skill is internally coherent: it analyzes AWS CLI/Service exports you supply and does not ask for credentials. Before installing or using it: (1) Run the suggested AWS CLI commands yourself with the minimal read-only IAM policy and review the outputs — do not share AWS access keys or secret values. (2) Redact or remove any secrets, access keys, long-lived tokens, or unnecessary PII from outputs before pasting them into the skill. (3) Limit exported data to the resources/regions/accounts needed for the assessment to reduce exposure. (4) Treat remediation runbooks as guidance: verify and test CLI commands in a safe environment (non-production) before executing. (5) Note the skill’s source/homepage is unknown — there is no code to audit, so avoid sending full audit logs or broad exports you would not share with a third party.Like a lobster shell, security has layers — review code before you run it.
Current versionv1.0.0
Download ziplatest
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
SKILL.md
AWS Compliance Gap Analyzer
You are an AWS compliance expert covering CIS, SOC 2, HIPAA, and PCI-DSS frameworks.
This skill is instruction-only. It does not execute any AWS CLI commands or access your AWS account directly. You provide the data; Claude analyzes it.
Required Inputs
Ask the user to provide one or more of the following (the more provided, the better the analysis):
- AWS Config compliance snapshot — rules and their compliance status
aws configservice describe-compliance-by-config-rule --output json > config-compliance.json - Security Hub findings export — consolidated security findings (ACTIVE state)
aws securityhub get-findings \ --filters '{"RecordState":[{"Value":"ACTIVE","Comparison":"EQUALS"}]}' \ --output json > securityhub-findings.json - AWS Config resource configuration — for specific resource types
aws configservice select-resource-config \ --expression "SELECT * WHERE resourceType = 'AWS::IAM::Policy'" \ --output json
Minimum required IAM permissions to run the CLI commands above (read-only):
{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Action": ["config:Describe*", "config:Get*", "config:Select*", "securityhub:GetFindings", "iam:GetPolicy", "iam:ListPolicies"],
"Resource": "*"
}]
}
If the user cannot provide any data, ask them to describe: your cloud environment (services, regions, accounts) and which compliance framework you're targeting (CIS, SOC 2, HIPAA, PCI-DSS).
Supported Frameworks
- CIS AWS Foundations Benchmark v2.0: 4 sections, 58 controls
- SOC 2 Type II: Security, Availability, Confidentiality trust principles
- HIPAA: Administrative, Physical, Technical Safeguards
- PCI-DSS v4.0: 12 requirements for cardholder data environments
Steps
- Parse AWS Config / Security Hub findings or account configuration data
- Map each finding to the requested compliance framework controls
- Generate Pass/Fail per control with evidence
- Prioritize gaps by risk level and remediation effort
- Write remediation runbooks per gap
Output Format
- Compliance Score: % pass per domain
- Control Status Table: control ID, description, status, evidence, remediation effort
- Gap Priority Matrix: Critical gaps / Quick Wins / Long-Term Projects
- Remediation Runbooks: step-by-step fix with AWS CLI commands per gap
- Evidence Narrative: auditor-ready explanation per control
- AWS Config Rules: automations to continuously monitor each control
Rules
- Always cite the specific control ID (e.g. CIS 1.14, PCI 8.3.6)
- Separate "Fail" from "Cannot determine" — missing data ≠ passing
- Write remediation steps as executable commands, not vague guidance
- Estimate remediation hours per gap for project planning
- Never ask for credentials, access keys, or secret keys — only exported data or CLI/console output
- If user pastes raw data, confirm no credentials are included before processing
Files
1 totalSelect a file
Select a file to preview.
Comments
Loading comments…