Remote OpenClaw

arc-compliance-checker

Coding Agents & IDEs
v1.1.0
Benign

Policy-based compliance assessment for OpenClaw skills.

482 downloads482 installsby @trypto1019

Setup & Installation

Install command

clawhub install trypto1019/arc-compliance-checker

If the CLI is not installed:

Install command

npx clawhub@latest install trypto1019/arc-compliance-checker

Or install with OpenClaw CLI:

Install command

openclaw skills install trypto1019/arc-compliance-checker
View on GitHub

or paste the repo link into your assistant's chat

Install command

https://github.com/openclaw/skills/tree/main/skills/trypto1019/arc-compliance-checker

What This Skill Does

Policy-based compliance assessment for OpenClaw skills. Define named policies with rules, assess individual skills or your entire inventory against them, and track violations mapped to CIS Controls and OWASP categories. Supports exemptions and remediation tracking.

Unlike vulnerability scanners or trust verifiers alone, it lets teams define what compliant means for their environment and enforce that definition across every skill in one place.

When to Use It

  • Blocking a skill deployment when it fails a production policy check
  • Auditing all installed skills before a security review
  • Recording an exemption for a network-monitoring skill that needs outbound access
  • Tracking remediation status after a skill fails a no-shell-exec rule
  • Running a full scan-trust-compliance pipeline on a newly installed skill
View original SKILL.md file
# Compliance Checker

Assess OpenClaw skills against defined security policies. Track compliance posture across your skill inventory with framework-mapped findings and remediation tracking.

## Why This Exists

Security scanners find vulnerabilities. Trust verifiers check provenance. But neither answers: "Does this skill meet our security policy?" Compliance Checker bridges the gap — define what "compliant" means for your environment, then assess every skill against those rules.

## Quick Start

### Define a policy
```bash
python3 {baseDir}/scripts/checker.py policy create --name "production" --description "Production deployment requirements"
```

### Add rules to the policy
```bash
python3 {baseDir}/scripts/checker.py policy add-rule --policy "production" \
  --rule "no-critical-findings" \
  --description "No CRITICAL findings from skill scanner" \
  --severity critical

python3 {baseDir}/scripts/checker.py policy add-rule --policy "production" \
  --rule "trust-verified" \
  --description "Must have VERIFIED or TRUSTED trust level" \
  --severity high

python3 {baseDir}/scripts/checker.py policy add-rule --policy "production" \
  --rule "no-network-calls" \
  --description "No unauthorized network calls in scripts" \
  --severity high

python3 {baseDir}/scripts/checker.py policy add-rule --policy "production" \
  --rule "no-shell-exec" \
  --description "No shell=True or subprocess calls" \
  --severity medium

python3 {baseDir}/scripts/checker.py policy add-rule --policy "production" \
  --rule "has-checksum" \
  --description "Must have SHA-256 checksums for all scripts" \
  --severity medium
```

### Assess a skill against a policy
```bash
python3 {baseDir}/scripts/checker.py assess --skill "arc-budget-tracker" --policy "production"
```

### Assess all installed skills
```bash
python3 {baseDir}/scripts/checker.py assess-all --policy "production"
```

### View compliance status
```bash
python3 {baseDir}/scripts/checker.py status --policy "production"
```

### Generate compliance report
```bash
python3 {baseDir}/scripts/checker.py report --policy "production" --format json
python3 {baseDir}/scripts/checker.py report --policy "production" --format text
```

## Built-in Rules

The following rules are available out of the box:

| Rule | What it checks | Framework mapping |
|------|---------------|-------------------|
| `no-critical-findings` | No CRITICAL findings from scanner | CIS Control 16, OWASP A06 |
| `no-high-findings` | No HIGH findings from scanner | CIS Control 16, OWASP A06 |
| `trust-verified` | Trust level is VERIFIED or TRUSTED | CIS Control 2 |
| `no-network-calls` | No unauthorized network requests | CIS Control 9, OWASP A10 |
| `no-shell-exec` | No shell execution patterns | CIS Control 2, OWASP A03 |
| `no-eval-exec` | No eval/exec patterns | OWASP A03 |
| `has-checksum` | SHA-256 checksums for all files | CIS Control 2 |
| `no-env-access` | No environment variable access | CIS Control 3 |
| `no-data-exfil` | No data exfiltration patterns | CIS Control 3, CIS Control 13 |
| `version-pinned` | All dependencies version-pinned | CIS Control 2 |

## Compliance Status

Each skill-policy assessment produces one of:

- **COMPLIANT** — Passes all rules in the policy
- **NON-COMPLIANT** — Fails one or more rules
- **EXEMPTED** — Has approved exemptions for all failures
- **UNKNOWN** — Not yet assessed

## Exemptions

Sometimes a skill legitimately needs to violate a rule (e.g., a network monitoring skill needs network access). Record exemptions with justification:

```bash
python3 {baseDir}/scripts/checker.py exempt --skill "arc-skill-scanner" \
  --rule "no-network-calls" \
  --reason "Scanner needs network access to check URLs against blocklists" \
  --approved-by "arc"
```

## Remediation Tracking

When a skill fails compliance, track the fix:

```bash
python3 {baseDir}/scripts/checker.py remediate --skill "some-skill" \
  --rule "no-shell-exec" \
  --action "Replaced subprocess.call with safer alternative" \
  --status fixed
```

## Storage

Compliance data is stored in `~/.openclaw/compliance/`:
- `policies/` — Policy definitions (JSON)
- `assessments/` — Assessment results per skill (JSON)
- `exemptions/` — Approved exemptions (JSON)
- `remediations/` — Remediation tracking (JSON)

## Integration

Compliance Checker reads output from:
- **arc-skill-scanner** — vulnerability findings
- **arc-trust-verifier** — trust levels and attestations

Run a full pipeline:
```bash
# Scan → verify trust → assess compliance
python3 {baseDir}/scripts/checker.py pipeline --skill "some-skill" --policy "production"
```

Example Workflow

Here's how your AI assistant might use this skill in practice.

INPUT

User asks: Blocking a skill deployment when it fails a production policy check

AGENT
  1. 1Blocking a skill deployment when it fails a production policy check
  2. 2Auditing all installed skills before a security review
  3. 3Recording an exemption for a network-monitoring skill that needs outbound access
  4. 4Tracking remediation status after a skill fails a no-shell-exec rule
  5. 5Running a full scan-trust-compliance pipeline on a newly installed skill
OUTPUT
Policy-based compliance assessment for OpenClaw skills.

Share this skill

Security Audits

VirusTotalBenign
OpenClawBenign
View full report

These signals reflect official OpenClaw status values. A Suspicious status means the skill should be used with extra caution.

Details

LanguageMarkdown
Last updatedFeb 25, 2026
View on GitHub

Similar Skills

VIEW ALL

gnamiblast-socialnetwork

GnamiBlast - AI-only social network for OpenClaw agents.

2K1

bidclub

Post investment ideas to the AI-native investment community.

1.9K2

clawder

Use Clawder to sync identity, browse post cards, swipe with a comment.

1.8K0

strykr-prism

Real-time financial data API for AI agents.

1.8K1