compliance-checker

Policy-based compliance assessment for OpenClaw skills. Define security policies, assess skills against them, track violations, and generate compliance reports. Maps findings to frameworks like CIS Controls and OWASP. Integrates with arc-skill-scanner and arc-trust-verifier.

16 stars

bydiegosouzapw

View on GitHub Installation ↓

Best use case

compliance-checker is best used when you need a repeatable AI agent workflow instead of a one-off prompt.

Teams using compliance-checker should expect a more consistent output, faster repeated execution, less prompt rewriting.

When to use this skill

You want a reusable workflow that can be run more than once with consistent structure.

When not to use this skill

You only need a quick one-off answer and do not need a reusable workflow.
You cannot install or maintain the underlying files, dependencies, or repository context.

Installation

Claude Code / Cursor / Codex

$curl -o ~/.claude/skills/compliance-checker/SKILL.md --create-dirs "https://raw.githubusercontent.com/diegosouzapw/awesome-omni-skill/main/skills/testing-security/compliance-checker/SKILL.md"

Manual Installation

Download SKILL.md from GitHub
Place it in .claude/skills/compliance-checker/SKILL.md inside your project
Restart your AI agent — it will auto-discover the skill

How compliance-checker Compares

Feature / Agent	compliance-checker	Standard Approach
Platform Support	Not specified	Limited / Varies
Context Awareness	High	Baseline
Installation Complexity	Unknown	N/A

Frequently Asked Questions

What does this skill do?

Where can I find the source code?

You can find the source code on GitHub using the link provided at the top of the page.

SKILL.md Source

# Compliance Checker

Assess OpenClaw skills against defined security policies. Track compliance posture across your skill inventory with framework-mapped findings and remediation tracking.

## Why This Exists

Security scanners find vulnerabilities. Trust verifiers check provenance. But neither answers: "Does this skill meet our security policy?" Compliance Checker bridges the gap — define what "compliant" means for your environment, then assess every skill against those rules.

## Quick Start

### Define a policy
```bash
python3 {baseDir}/scripts/checker.py policy create --name "production" --description "Production deployment requirements"
```

### Add rules to the policy
```bash
python3 {baseDir}/scripts/checker.py policy add-rule --policy "production" \
  --rule "no-critical-findings" \
  --description "No CRITICAL findings from skill scanner" \
  --severity critical

python3 {baseDir}/scripts/checker.py policy add-rule --policy "production" \
  --rule "trust-verified" \
  --description "Must have VERIFIED or TRUSTED trust level" \
  --severity high

python3 {baseDir}/scripts/checker.py policy add-rule --policy "production" \
  --rule "no-network-calls" \
  --description "No unauthorized network calls in scripts" \
  --severity high

python3 {baseDir}/scripts/checker.py policy add-rule --policy "production" \
  --rule "no-shell-exec" \
  --description "No shell=True or subprocess calls" \
  --severity medium

python3 {baseDir}/scripts/checker.py policy add-rule --policy "production" \
  --rule "has-checksum" \
  --description "Must have SHA-256 checksums for all scripts" \
  --severity medium
```

### Assess a skill against a policy
```bash
python3 {baseDir}/scripts/checker.py assess --skill "arc-budget-tracker" --policy "production"
```

### Assess all installed skills
```bash
python3 {baseDir}/scripts/checker.py assess-all --policy "production"
```

### View compliance status
```bash
python3 {baseDir}/scripts/checker.py status --policy "production"
```

### Generate compliance report
```bash
python3 {baseDir}/scripts/checker.py report --policy "production" --format json
python3 {baseDir}/scripts/checker.py report --policy "production" --format text
```

## Built-in Rules

The following rules are available out of the box:

| Rule | What it checks | Framework mapping |
|------|---------------|-------------------|
| `no-critical-findings` | No CRITICAL findings from scanner | CIS Control 16, OWASP A06 |
| `no-high-findings` | No HIGH findings from scanner | CIS Control 16, OWASP A06 |
| `trust-verified` | Trust level is VERIFIED or TRUSTED | CIS Control 2 |
| `no-network-calls` | No unauthorized network requests | CIS Control 9, OWASP A10 |
| `no-shell-exec` | No shell execution patterns | CIS Control 2, OWASP A03 |
| `no-eval-exec` | No eval/exec patterns | OWASP A03 |
| `has-checksum` | SHA-256 checksums for all files | CIS Control 2 |
| `no-env-access` | No environment variable access | CIS Control 3 |
| `no-data-exfil` | No data exfiltration patterns | CIS Control 3, CIS Control 13 |
| `version-pinned` | All dependencies version-pinned | CIS Control 2 |

## Compliance Status

Each skill-policy assessment produces one of:

- **COMPLIANT** — Passes all rules in the policy
- **NON-COMPLIANT** — Fails one or more rules
- **EXEMPTED** — Has approved exemptions for all failures
- **UNKNOWN** — Not yet assessed

## Exemptions

Sometimes a skill legitimately needs to violate a rule (e.g., a network monitoring skill needs network access). Record exemptions with justification:

```bash
python3 {baseDir}/scripts/checker.py exempt --skill "arc-skill-scanner" \
  --rule "no-network-calls" \
  --reason "Scanner needs network access to check URLs against blocklists" \
  --approved-by "arc"
```

## Remediation Tracking

When a skill fails compliance, track the fix:

```bash
python3 {baseDir}/scripts/checker.py remediate --skill "some-skill" \
  --rule "no-shell-exec" \
  --action "Replaced subprocess.call with safer alternative" \
  --status fixed
```

## Storage

Compliance data is stored in `~/.openclaw/compliance/`:
- `policies/` — Policy definitions (JSON)
- `assessments/` — Assessment results per skill (JSON)
- `exemptions/` — Approved exemptions (JSON)
- `remediations/` — Remediation tracking (JSON)

## Integration

Compliance Checker reads output from:
- **arc-skill-scanner** — vulnerability findings
- **arc-trust-verifier** — trust levels and attestations

Run a full pipeline:
```bash
# Scan → verify trust → assess compliance
python3 {baseDir}/scripts/checker.py pipeline --skill "some-skill" --policy "production"
```

Related Skills

legal-compliance-agent

from diegosouzapw/awesome-omni-skill

Generate legally compliant privacy policies, terms of service, HIPAA documentation, and compliance pages for healthcare SaaS platforms. Ensures Google Play/App Store approval and GDPR/HIPAA compliance.

industry-compliance

from diegosouzapw/awesome-omni-skill

Use this skill when you need industry-specific regulatory compliance for Banking & Finance (FFIEC, FINRA, Basel III, PSD2, DORA), Healthcare & Life Sciences (FDA 21 CFR Part 11, HITRUST CSF, HL7 FHIR security, GxP), Hi-Tech & Semiconductors (ITAR, EAR, CMMC), or Retail/Consumer (PCI-DSS, CPRA). Trigger for sector-specific compliance programs, regulated industry deployments, or when standard frameworks alone are insufficient.

grc-compliance

from diegosouzapw/awesome-omni-skill

This skill should be used when the user asks to "GRC", "governance", "risk", "compliance", "audit", "policy", "control", "risk assessment", "SOX", "GDPR", or any ServiceNow GRC development.

Data Privacy Compliance

from diegosouzapw/awesome-omni-skill

Data privacy and regulatory compliance specialist for GDPR, CCPA, HIPAA, and international data protection laws. Use when implementing privacy controls, conducting data protection impact assessments, ensuring regulatory compliance, or managing data subject rights. Expert in consent management, data minimization, and privacy-by-design principles.

customs-trade-compliance

from diegosouzapw/awesome-omni-skill

Codified expertise for customs documentation, tariff classification, duty optimisation, restricted party screening, and regulatory compliance across multiple jurisdictions.

compliance-manager

from diegosouzapw/awesome-omni-skill

Guardrails for edits to core/security/compliance-manager.js that preserve PCI/GDPR/PSD2/SOX/HIPAA controls (masking, encryption, SCA, consent checks, and audit logging). Use when changing compliance validators, security handling, or audit flows.

compliance-frameworks

from diegosouzapw/awesome-omni-skill

ISO 27001, NIST CSF 2.0, CIS Controls v8.1, EU CRA compliance mapping, multi-standard alignment per Hack23 ISMS policies

compliance-evaluator

from diegosouzapw/awesome-omni-skill

This skill should be used when evaluating translation compliance with legal, regulatory, and content safety requirements. It checks for prohibited terms, required disclaimers, and region-specific restrictions based on risk profiles.

COMPLIANCE_CHECK

from diegosouzapw/awesome-omni-skill

You are a compliance expert specializing in regulatory requirements for software systems including GDPR, HIPAA, SOC2, PCI-DSS, and other industry standards. Perform comprehensive compliance audits and provide implementation guidance for achieving and maintaining compliance.

Compliance Audit

from diegosouzapw/awesome-omni-skill

Audit technical controls against compliance framework requirements

bulk-sales-compliance

from diegosouzapw/awesome-omni-skill

Drafts U.S. bulk sales law compliance packages for asset purchase transactions outside the ordinary course, including jurisdictional analysis of UCC Article 6 status, creditor schedule, notice of intended bulk sale, seller affidavit, escrow/claims framework, and closing checklist. Use when handling bulk sale, bulk transfer, inventory sale, asset purchase compliance, creditor notice, or successor liability avoidance.

aws-compliance-checker

from diegosouzapw/awesome-omni-skill

Automated compliance checking against CIS, PCI-DSS, HIPAA, and SOC 2 benchmarks