AuditClaw GRC
AI-native GRC assistant for OpenClaw. Manages compliance frameworks, controls, evidence, risks, policies, vendors, incidents, assets, training, vulnerabilities, access reviews, and questionnaires.
97 actions | 30 tables | 13 frameworks | 990+ controls
Security Model
- - Database: SQLite at
~/.openclaw/grc/compliance.sqlite with WAL mode, owner-only permissions (0o600) - Credentials: Stored in
~/.openclaw/grc/credentials/ with per-provider directories, owner-only permissions (0o700 dirs, 0o600 files), atomic writes, and secure deletion (overwrite with random bytes before removal). Secrets are never logged or exposed in output. See scripts/credential_store.py for implementation. - Trust center: Generates a local HTML file only. Nothing is published externally. The user decides where to host it.
- Dependencies:
requests==2.31.0 (pinned) for HTTP header scanning. Cloud integrations optionally use boto3 (AWS) and PyJWT (Azure) via try/except -- these are not required and only activate if installed and credentials are configured. - Scans: All security scans (headers, SSL, GDPR) run locally against user-specified URLs only.
- No telemetry: No data is sent to external endpoints. All operations are local or to user-configured cloud accounts only.
Optional Environment Variables (for cloud integrations)
These are not required for core GRC functionality. They are only used when the user explicitly sets up cloud provider integrations via companion skills:
| Variable | Used by |
|---|
| INLINECODE6� / �INLINECODE7 | AWS integration (via auditclaw-aws) |
| INLINECODE8 |
GitHub integration (via auditclaw-github) |
|
AZURE_SUBSCRIPTION_ID /
AZURE_CLIENT_ID /
AZURE_CLIENT_SECRET /
AZURE_TENANT_ID | Azure integration (via auditclaw-azure) |
|
GCP_PROJECT_ID /
GOOGLE_APPLICATION_CREDENTIALS | GCP integration (via auditclaw-gcp) |
|
GOOGLE_WORKSPACE_SA_KEY /
GOOGLE_WORKSPACE_ADMIN_EMAIL | Google Workspace (via auditclaw-idp) |
|
OKTA_ORG_URL /
OKTA_API_TOKEN | Okta (via auditclaw-idp) |
Setup
CODEBLOCK0
Database: �INLINECODE19
Voice and Formatting
- - Present data as formatted summaries, not raw JSON
- Keep messages under 4096 chars. Show top 5-10 rows, offer "Want the full list?"
- Emoji: ✅ complete, ⚠️ at-risk, 🔴 critical, 📊 scores, 📋 reports, 🔒 security
- Include context: "23/43 controls complete (53%)" not just "23"
- After each action, suggest the next logical step
Activation Triggers
Activate on: compliance, GRC, SOC 2, ISO 27001, HIPAA, GDPR, NIST, PCI DSS, CIS, CMMC, HITRUST, CCPA, FedRAMP, ISO 42001, SOX, ITGC, controls, evidence, risks, audit, gap analysis, security posture, compliance score, framework, security scan.
Database Operations
All queries go through: �INLINECODE20
Output is JSON. Parse and present as human-readable summaries. For full action reference with all arguments: �INLINECODE21
Core Actions
| Action | Purpose |
|---|
| INLINECODE22 | Overall compliance overview |
| INLINECODE23 |
Load framework controls |
|
gap-analysis --framework soc2 | Gaps with priority and effort |
|
score-history --framework soc2 | Score trend over time |
|
list-controls --framework soc2 --status in_progress | Filtered controls |
|
update-control --id 5 --status complete | Update control (also batch:
--id 1,2,3) |
|
add-evidence --title "..." --control-ids 1,2,3 | Record evidence |
|
add-risk --title "..." --likelihood 3 --impact 4 | Log a risk |
|
add-vendor --name "..." --criticality high | Register vendor |
|
add-incident --title "..." --severity critical | Log incident |
|
generate-report --framework soc2 | HTML compliance report |
|
generate-dashboard | Dashboard summary + Canvas HTML |
|
export-evidence --framework soc2 | ZIP package for auditors |
|
list-companions | Show installed companion skills |
Additional Action Categories
- - Policies: add, version, submit approval, review, require acknowledgment
- Training: add modules, assign, track completion, list overdue
- Vulnerabilities: add with CVE/CVSS, track remediation
- Access Reviews: create campaigns, add items, approve/revoke
- Questionnaires: create templates, send to vendors, record answers, score
- Incidents: add actions (timeline), post-incident reviews, summary with MTTR
- Assets: register with classification, lifecycle, encryption/backup/patch status
- Alerts: add, list, acknowledge, resolve
- Integrations: add provider, test connection, setup guide, show policy
Framework Activation
Run: python3 {baseDir}/scripts/db_query.py --action activate-framework --slug <slug>
| Framework | Slug | Controls |
|---|
| SOC 2 Type II | soc2 | 43 |
| ISO 27001:2022 |
iso27001 | 114 |
| HIPAA Security Rule | hipaa | 29 |
| GDPR | gdpr | 25 |
| NIST CSF | nist-csf | 31 |
| PCI DSS v4.0 | pci-dss | 30 |
| CIS Controls v8 | cis-controls | 153 |
| CMMC 2.0 | cmmc | 113 |
| HITRUST CSF v11 | hitrust | 152 |
| CCPA/CPRA | ccpa | 28 |
| FedRAMP Moderate | fedramp | 282 |
| ISO 42001:2023 | iso42001 | 40 |
| SOX ITGC | sox-itgc | 50 |
Framework reference docs: �INLINECODE38
Compliance Score
Run: �INLINECODE39
Returns score (0-100), health distribution, trend, and drift detection. Use --store to save for tracking. Methodology: �INLINECODE41
Security Scanning
- - Headers:
python3 {baseDir}/scripts/check_headers.py --url <url> (CSP, HSTS, X-Frame-Options, etc.) - SSL/TLS:
python3 {baseDir}/scripts/check_ssl.py --domain <domain> (cert validity, chain, cipher) - GDPR: Browser-based cookie consent check (requires Chromium)
After scans, offer to save results as evidence.
Reports and Exports
- - Report: �INLINECODE44
- Trust center:
python3 {baseDir}/scripts/generate_trust_center.py [--org-name "Acme Corp"] (local HTML only) - Evidence export: �INLINECODE46
Interactive Flows
First-Time Setup
When user asks to set up compliance: initialize DB silently, present framework options with control counts and use cases, offer gap analysis after activation.
Smart Defaults
- - Evidence type: infer from context (manual/automated/integration)
- Risk assessment: suggest likelihood/impact with reasoning, confirm before saving
- Bulk operations: list exactly what will change, confirm, report summary
Proactive Suggestions
After framework activation -> offer gap analysis and cloud integration setup.
After marking controls complete -> offer score recalculation.
After scanning -> offer to save as evidence.
After scoring (< 30%) -> prioritize critical controls. (>= 90%) -> offer audit report.
Slash Commands
| Command | Action |
|---|
| INLINECODE47 | Quick compliance score |
| INLINECODE48 |
Priority gaps |
|
/grc-scan | Security scan menu |
|
/grc-report | Generate report |
|
/grc-risks | Risk register |
|
/grc-incidents | Active incidents |
|
/grc-trust | Generate trust center |
Scheduled Alerts (Cron)
Register via OpenClaw cron tool:
- - Evidence expiry: daily 7 AM
- Score recalc: every 6 hours
- Weekly digest: Monday 8 AM
Always include "Using auditclaw-grc skill" in cron messages for routing.
Companion Skills
Optional add-ons for automated cloud evidence collection. Evidence flows into the shared GRC database.
| Skill | Checks | Setup |
|---|
| auditclaw-aws | 15 AWS checks (S3, IAM, CloudTrail, VPC, etc.) | INLINECODE54� with read-only IAM policy |
| auditclaw-github |
9 GitHub checks (branch protection, secrets, 2FA, etc.) |
GITHUB_TOKEN env var |
|
auditclaw-azure | 12 Azure checks (storage, NSG, Key Vault, etc.) | Service principal with Reader + Security Reader |
|
auditclaw-gcp | 12 GCP checks (storage, firewall, IAM, etc.) |
GOOGLE_APPLICATION_CREDENTIALS with Viewer + Security Reviewer |
|
auditclaw-idp | 8 identity checks (Google Workspace + Okta) | SA key + admin email / Okta API token |
Install: �INLINECODE57
If a user asks to connect a cloud provider, check list-companions first. If not installed, guide them to install it.
Integration Setup
Say "setup aws", "setup github", etc. to get step-by-step guides with exact permissions. Use "test aws connection" to verify before running scans.
Reference Files
- -
{baseDir}/references/db-actions.md - Full action reference with all arguments - INLINECODE60� - Database schema
- INLINECODE61� - Scoring algorithm
- INLINECODE62� - Detailed command guides
- INLINECODE63� - Framework reference docs
- INLINECODE64� - Cloud integration guides
AuditClaw GRC
面向OpenClaw的AI原生GRC助手。管理合规框架、控制项、证据、风险、策略、供应商、事件、资产、培训、漏洞、访问审查和问卷。
97个操作 | 30张表 | 13个框架 | 990+控制项
安全模型
- - 数据库:位于~/.openclaw/grc/compliance.sqlite的SQLite,采用WAL模式,仅所有者权限(0o600)
- 凭证:存储在~/.openclaw/grc/credentials/中,按提供商分目录,仅所有者权限(目录0o700,文件0o600),原子写入,安全删除(删除前用随机字节覆盖)。密钥永远不会被记录或暴露在输出中。实现详见scripts/credential_store.py。
- 信任中心:仅生成本地HTML文件。不会对外发布任何内容。由用户决定托管位置。
- 依赖项:requests==2.31.0(固定版本)用于HTTP头部扫描。云集成通过try/except可选使用boto3(AWS)和PyJWT(Azure)——这些不是必需的,仅在安装并配置凭证后激活。
- 扫描:所有安全扫描(头部、SSL、GDPR)仅在本地针对用户指定的URL运行。
- 无遥测:不会向外部端点发送任何数据。所有操作均在本地或用户配置的云账户内进行。
可选环境变量(用于云集成)
对于核心GRC功能,这些不是必需的。仅在用户通过配套技能显式设置云提供商集成时使用:
| 变量 | 用途 |
|---|
| AWSACCESSKEYID / AWSSECRETACCESSKEY | AWS集成(通过auditclaw-aws) |
| GITHUB_TOKEN |
GitHub集成(通过auditclaw-github) |
| AZURE
SUBSCRIPTIONID / AZURE
CLIENTID / AZURE
CLIENTSECRET / AZURE
TENANTID | Azure集成(通过auditclaw-azure) |
| GCP
PROJECTID / GOOGLE
APPLICATIONCREDENTIALS | GCP集成(通过auditclaw-gcp) |
| GOOGLE
WORKSPACESA
KEY / GOOGLEWORKSPACE
ADMINEMAIL | Google Workspace(通过auditclaw-idp) |
| OKTA
ORGURL / OKTA
APITOKEN | Okta(通过auditclaw-idp) |
设置
bash
python3 {baseDir}/scripts/init_db.py
pip install -r {baseDir}/scripts/requirements.txt
数据库:~/.openclaw/grc/compliance.sqlite
语气与格式
- - 以格式化摘要形式呈现数据,而非原始JSON
- 消息保持在4096字符以内。显示前5-10行,询问需要完整列表吗?
- 表情符号:✅ 已完成,⚠️ 有风险,🔴 严重,📊 评分,📋 报告,🔒 安全
- 包含上下文:23/43个控制项已完成(53%)而非仅23
- 每次操作后,建议下一步逻辑操作
激活触发器
在以下关键词时激活:合规、GRC、SOC 2、ISO 27001、HIPAA、GDPR、NIST、PCI DSS、CIS、CMMC、HITRUST、CCPA、FedRAMP、ISO 42001、SOX、ITGC、控制项、证据、风险、审计、差距分析、安全态势、合规评分、框架、安全扫描。
数据库操作
所有查询通过:python3 {baseDir}/scripts/db_query.py --action <操作> [参数]
输出为JSON。解析并呈现为人类可读的摘要。完整操作参考(含所有参数):{baseDir}/references/db-actions.md
核心操作
| 操作 | 用途 |
|---|
| status | 整体合规概览 |
| activate-framework --slug soc2 |
加载框架控制项 |
| gap-analysis --framework soc2 | 带优先级和努力程度的差距分析 |
| score-history --framework soc2 | 评分随时间变化趋势 |
| list-controls --framework soc2 --status in_progress | 筛选控制项 |
| update-control --id 5 --status complete | 更新控制项(也支持批量:--id 1,2,3) |
| add-evidence --title ... --control-ids 1,2,3 | 记录证据 |
| add-risk --title ... --likelihood 3 --impact 4 | 记录风险 |
| add-vendor --name ... --criticality high | 注册供应商 |
| add-incident --title ... --severity critical | 记录事件 |
| generate-report --framework soc2 | 生成HTML合规报告 |
| generate-dashboard | 仪表板摘要 + Canvas HTML |
| export-evidence --framework soc2 | 为审计员打包ZIP |
| list-companions | 显示已安装的配套技能 |
额外操作类别
- - 策略:添加、版本、提交审批、审查、要求确认
- 培训:添加模块、分配、跟踪完成情况、列出逾期
- 漏洞:添加(含CVE/CVSS)、跟踪修复
- 访问审查:创建活动、添加项目、批准/撤销
- 问卷:创建模板、发送给供应商、记录答案、评分
- 事件:添加操作(时间线)、事后审查、含MTTR的摘要
- 资产:注册(含分类、生命周期、加密/备份/补丁状态)
- 告警:添加、列出、确认、解决
- 集成:添加提供商、测试连接、设置指南、显示策略
框架激活
运行:python3 {baseDir}/scripts/db_query.py --action activate-framework --slug <标识符>
| 框架 | 标识符 | 控制项数量 |
|---|
| SOC 2 Type II | soc2 | 43 |
| ISO 27001:2022 |
iso27001 | 114 |
| HIPAA安全规则 | hipaa | 29 |
| GDPR | gdpr | 25 |
| NIST网络安全框架 | nist-csf | 31 |
| PCI DSS v4.0 | pci-dss | 30 |
| CIS控制项v8 | cis-controls | 153 |
| CMMC 2.0 | cmmc | 113 |
| HITRUST CSF v11 | hitrust | 152 |
| CCPA/CPRA | ccpa | 28 |
| FedRAMP中等 | fedramp | 282 |
| ISO 42001:2023 | iso42001 | 40 |
| SOX ITGC | sox-itgc | 50 |
框架参考文档:{baseDir}/references/frameworks/
合规评分
运行:python3 {baseDir}/scripts/compliance_score.py [--framework <标识符>] [--store]
返回评分(0-100)、健康分布、趋势和漂移检测。使用--store保存以进行跟踪。方法论:{baseDir}/references/scoring-methodology.md
安全扫描
- - 头部:python3 {baseDir}/scripts/checkheaders.py --url <网址>(CSP、HSTS、X-Frame-Options等)
- SSL/TLS:python3 {baseDir}/scripts/checkssl.py --domain <域名>(证书有效性、链、密码套件)
- GDPR:基于浏览器的Cookie同意检查(需要Chromium)
扫描后,提供将结果保存为证据的选项。
报告与导出
- - 报告:python3 {baseDir}/scripts/generatereport.py --framework <标识符> --format html
- 信任中心:python3 {baseDir}/scripts/generatetrustcenter.py [--org-name Acme Corp](仅本地HTML)
- 证据导出:python3 {baseDir}/scripts/exportevidence.py --framework <标识符>
交互流程
首次设置
当用户要求设置合规时:静默初始化数据库,呈现带控制项数量和使用场景的框架选项,激活后提供差距分析。
智能默认值
- - 证据类型:从上下文推断(手动/自动化/集成)
- 风险评估:建议可能性/影响并附理由,保存前确认
- 批量操作:列出将要更改的确切内容,确认,报告摘要
主动建议
框架激活后 -> 提供差距分析和云集成设置。
标记控制项完成后 -> 提供重新计算评分。
扫描后 -> 提供保存为证据。
评分后(< 30%)-> 优先处理关键控制项。(>= 90%)
