技能详情(站内镜像,无评论)
许可证:MIT-0
MIT-0 ·免费使用、修改和重新分发。无需归因。
版本:v1.0.0
统计:⭐ 0 · 362 · 0 current installs · 0 all-time installs
⭐ 0
安装量(当前) 0
🛡 VirusTotal :良性 · OpenClaw :良性
Package:1kalin/afrexai-vendor-risk
安全扫描(ClawHub)
- VirusTotal :良性
- OpenClaw :良性
OpenClaw 评估
The skill's instructions, scope, and requirements align with a vendor risk assessment playbook; it asks for no credentials, installs nothing, and contains only guidance and templates.
目的
The name/description (vendor risk assessment) matches the SKILL.md content: scoring rubric, portfolio view, templates, and red‑flags. There are no unexpected binaries, credentials, or system config requirements for this stated purpose.
说明范围
The SKILL.md stays within the assessment domain (scoring, review templates, remediation actions). It includes external links to paid playbooks and an 'Agent Setup Wizard' URL — these are outside the skill but are only links. The skill itself does not instruct the agent to read local files, environment variables, or to transmit data to remote endpoints, but you should vet those external sites before following them.
安装机制
Instruction-only skill with no install spec and no code files. This is low risk because nothing is written to disk or executed by the skill itself.
证书
No environment variables, credentials, or config paths are requested. The lack of secret or cloud credential requests is appropriate for a guidance/playbook skill.
持久
Defaults are used (always:false, agent invocation allowed). The skill does not request permanent presence or elevated privileges and does not attempt to modify other skills or system settings.
综合结论
This skill appears coherent and safe as a playbook: it only contains assessment guidance and templates and does not request credentials or install anything. Before using, review any external links (the playbook and agent‑setup URLs) in a browser to confirm they are trustworthy and avoid pasting sensitive credentials into third‑party sites. If you plan to automate vendor assessments, sandbox any agent workflows that will handle vendor data and …
安装(复制给龙虾 AI)
将下方整段复制到龙虾中文库对话中,由龙虾按 SKILL.md 完成安装。
请把本段交给龙虾中文库(龙虾 AI)执行:为本机安装 OpenClaw 技能「Vendor Risk Assessment」。简介:Evaluate and score vendors on security, financials, compliance, operations, and…。
请 fetch 以下地址读取 SKILL.md 并按文档完成安装:https://raw.githubusercontent.com/openclaw/skills/refs/heads/main/skills/1kalin/afrexai-vendor-risk/SKILL.md
(来源:yingzhi8.cn 技能库)SKILL.md
# Vendor Risk Assessment
Score and manage third-party vendor risk across security, financial stability, compliance, operational dependency, and data handling. Built for procurement teams, CISOs, and operations leaders managing 10+ vendors.
## Usage
Run this assessment for each critical vendor. Aggregate scores into a portfolio risk view.
## Assessment Framework
### 1. Vendor Risk Scorecard (5 Domains, 0-100 each)
**Security Posture (0-100)**
- SOC 2 Type II current? (+20)
- Penetration test within 12 months? (+15)
- Incident response plan documented? (+15)
- Data encryption at rest and transit? (+15)
- MFA enforced for all access? (+10)
- Security questionnaire completed? (+10)
- Subprocessor list disclosed? (+15)
**Financial Stability (0-100)**
- Revenue trend (growing +25, flat +10, declining 0)
- Funding runway >18 months? (+20)
- Customer concentration <20%? (+15)
- Public financials or audited statements? (+15)
- No material litigation? (+15)
- Credit rating acceptable? (+10)
**Compliance & Regulatory (0-100)**
- Industry certifications current? (+20)
- GDPR/CCPA compliant? (+20)
- Data processing agreement signed? (+15)
- Regulatory audit history clean? (+15)
- Right to audit clause? (+15)
- Data residency requirements met? (+15)
**Operational Dependency (0-100)**
- SLA with financial penalties? (+20)
- Uptime >99.9% trailing 12 months? (+20)
- Disaster recovery tested annually? (+15)
- Single point of failure for your business? (-20)
- Migration plan documented? (+15)
- API/export capability? (+15)
- Vendor lock-in risk assessment? (+15)
**Data Handling (0-100)**
- Data classification documented? (+20)
- Retention/deletion policies clear? (+20)
- Breach notification <72 hours? (+20)
- Data portability guaranteed? (+15)
- AI/ML training on your data? (opt-out available +15, no opt-out -10)
- Access logging and audit trail? (+10)
### 2. Risk Tier Classification
| Aggregate Score | Tier | Review Cadence | Action |
|----------------|------|---------------|--------|
| 400-500 | Low Risk | Annual | Standard monitoring |
| 300-399 | Moderate | Semi-annual | Remediation plan required |
| 200-299 | High Risk | Quarterly | Executive escalation, alternatives identified |
| 0-199 | Critical | Monthly | Exit plan required within 90 days |
### 3. Portfolio Risk View
```
Total vendors: ___
Critical tier: ___ (target: 0)
High risk: ___ (target: <10%)
Moderate: ___ (target: <30%)
Low risk: ___ (target: >60%)
Top 3 concentration risks:
1. [Vendor] — [function] — [% of operations dependent]
2. [Vendor] — [function] — [% of operations dependent]
3. [Vendor] — [function] — [% of operations dependent]
Annual vendor spend: $___
Spend on high/critical vendors: $___ (___%)
```
### 4. Cost of Vendor Failure
| Impact Area | Calculation |
|------------|-------------|
| Revenue loss | Daily revenue × expected downtime days |
| Recovery cost | Migration estimate + emergency procurement |
| Compliance penalty | Regulatory fine range for data breach via vendor |
| Reputation damage | Customer churn rate × LTV × affected customers |
| Operational disruption | Staff idle cost × recovery period |
### 5. Quarterly Review Template
- Score changes since last review (flag any >10 point drops)
- New subprocessors added by vendor
- SLA performance vs target
- Security incidents or near-misses
- Contract renewal timeline and negotiation leverage
- Alternative vendor benchmarking
### 6. Red Flags (Immediate Action)
- Vendor acquired by competitor
- Key personnel departures (CISO, CTO)
- Downtime exceeding SLA 2+ months
- Regulatory action or investigation
- Refusal to complete security questionnaire
- Data breach affecting other customers
- Sudden pricing changes >20%
## Industry-Specific Vendor Risks
| Industry | Critical Vendor Category | Specific Risk |
|----------|------------------------|---------------|
| Healthcare | EHR, billing, telehealth | HIPAA BAA gaps, PHI exposure |
| Financial Services | Core banking, payments, KYC | PCI DSS, regulatory reporting |
| Legal | Case management, ediscovery | Privilege breach, client data |
| SaaS | Infrastructure, auth, payments | Cascading outages, PII |
| Manufacturing | MES, supply chain, IoT | IP theft, production stoppage |
| Construction | Project management, safety | Compliance documentation gaps |
| Ecommerce | Payments, fulfillment, CDN | PCI, availability during peak |
| Recruitment | ATS, background check, payroll | Candidate PII, bias in AI screening |
| Real Estate | MLS, transaction mgmt, title | Wire fraud, closing delays |
| Professional Services | CRM, billing, document mgmt | Client confidentiality breach |
## Get the Full Playbook
- [AI Revenue Leak Calculator](https://afrexai-cto.github.io/ai-revenue-calculator/) — Quantify your total automation opportunity
- [Industry Context Packs](https://afrexai-cto.github.io/context-packs/) — $47 each, deep-dive playbooks
- [Agent Setup Wizard](https://afrexai-cto.github.io/agent-setup/) — Build your AI agent workforce