ClawHub

Agent Compliance & Security Assessment

v2.3.3

Comprehensive compliance and security self-assessment for AI agents. 14-check framework producing a structured threat model + compliance report with RED/AMBE...

1· 920·5 current·5 all-time
byJustin@roosch269
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
Name, description, and runtime instructions align: this is a questionnaire-style self-assessment that requires no binaries, credentials, or installs. Nothing declared in the manifest is excessive or unrelated to producing a compliance report.
Instruction Scope
SKILL.md explicitly instructs the agent not to read files, access credentials, run commands, or send data externally and to base answers on its existing knowledge (system prompt, tool list, loaded config). That scope matches the claimed behavior, but relying on the agent's existing knowledge can cause disclosure of sensitive internal data (system prompt, tool metadata, or config) if those contain secrets or operational details. The skill itself does not instruct any file I/O or network calls.
Install Mechanism
Instruction-only; no install spec, no code files to write to disk. This is the lowest-risk install profile.
Credentials
No environment variables, credentials, or config paths are requested. The only possible exposure vector is that the agent may reveal information present in its runtime context (system prompt, tool definitions, or loaded configuration), but that is a consequence of asking the agent to self-report rather than the skill demanding secrets.
Persistence & Privilege
always is false and the skill does not request persistent presence or modifications to agent settings. disable-model-invocation is false (normal); the skill can be invoked autonomously but has no privileged flags or self-enabling behavior.
Assessment
This skill is coherent and does what it says: a 14-check questionnaire that does not read files or request secrets. Before running it, confirm that your agent's system prompt, tool metadata, and loaded configuration do not contain secrets or sensitive operational details you don't want disclosed — the skill asks the agent to report from that context and could therefore surface such information. If you're unsure, run the assessment in an isolated/test agent, enable a human-in-the-loop to review outputs, or redact/mask sensitive entries in the agent's configuration before use.

Like a lobster shell, security has layers — review code before you run it.

automation-biasvk97bvbzm48x7q1zke0nadtgbss83j9c2compliancevk97bteyjznn944ebjnzj8j3bxn83kt2meu-ai-actvk97bteyjznn944ebjnzj8j3bxn83kt2mfreevk97bteyjznn944ebjnzj8j3bxn83kt2mgovernancevk97bteyjznn944ebjnzj8j3bxn83kt2mlatestvk974jjn6bgbvrytww1ykgm1fyd83vewqoversight-qualityvk97bteyjznn944ebjnzj8j3bxn83kt2msecurityvk97bteyjznn944ebjnzj8j3bxn83kt2m

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🛡️ Clawdis

Comments