ClawHub

SOC 2 AI Agent Compliance

v1.0.0

Guides organizations through SOC 2 compliance lifecycle with gap analysis, control implementation, evidence collection, audit prep, and continuous monitoring.

0· 578·0 current·0 all-time
by@1kalin
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The name and description (SOC 2 lifecycle guidance) match the SKILL.md content: readiness assessment, control matrices, evidence plans, and timelines. References to third‑party tools (Okta, AWS Config, Datadog, etc.) are examples of evidence sources and are appropriate for the purpose.
Instruction Scope
SKILL.md is a detailed playbook and stays within advisory scope (templates, checklists, timelines, mapping of controls to evidence). It references automated evidence sources and monitoring tools but does not itself include commands, require reading arbitrary system files, or instruct contacting hidden endpoints. Be aware: real-world use will typically require connecting to monitoring/IAM services, which would require credentials supplied by the user (the skill does not request them).
Install Mechanism
No install spec and no code files — instruction-only content. This is the lowest-risk install posture (nothing is written to disk or downloaded by the skill).
Credentials
The skill declares no required environment variables, credentials, or config paths. While it names external tools as evidence sources, those are illustrative; the skill does not request unrelated secrets or broad environment access.
Persistence & Privilege
Skill defaults (not always:true, agent-invocation allowed) are used. It does not request permanent/system-level presence or modification of other skills' configuration.
Assessment
This appears to be a straightforward, instruction-only SOC 2 playbook. Before installing or using it, consider: (1) the skill itself does not fetch data or request credentials, but following its recommendations will likely require you to provide access (API keys, monitoring/log exports) to your systems — only grant least-privilege credentials and to trusted agents; (2) verify the publisher/source (the README points to an AfrexAI site) if you plan to share internal evidence or PII; (3) treat any prompts from the agent that ask for credentials, full logs, or secrets as high-risk — validate why those are needed and prefer manual uploads of redacted evidence; (4) if you need stronger assurance, ask the publisher for a provenance/author signature or run the guidance offline and avoid connecting the agent directly to production systems. If the skill later adds install scripts, network calls, or requests environment variables, re-evaluate (that would change this assessment).

Like a lobster shell, security has layers — review code before you run it.

auditvk977j3ch8vvkskxa8rc0drtp9981efv1compliancevk977j3ch8vvkskxa8rc0drtp9981efv1governancevk977j3ch8vvkskxa8rc0drtp9981efv1latestvk977j3ch8vvkskxa8rc0drtp9981efv1securityvk977j3ch8vvkskxa8rc0drtp9981efv1soc2vk977j3ch8vvkskxa8rc0drtp9981efv1

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments