技能详情(站内镜像,无评论)
许可证:MIT-0
MIT-0 ·免费使用、修改和重新分发。无需归因。
版本:v1.0.0
统计:⭐ 0 · 45 · 0 current installs · 0 all-time installs
⭐ 0
安装量(当前) 0
🛡 VirusTotal :良性 · OpenClaw :可疑
Package:afrexai-cto/afrexai-soc2-evidence-collector
安全扫描(ClawHub)
- VirusTotal :良性
- OpenClaw :可疑
OpenClaw 评估
The skill's stated purpose (generate SOC2 checklists and scripts) is plausible, but the instructions expect broad access to cloud, IdP, and HR systems without declaring how credentials or sensitive exports will be requested, scoped, stored, or protected — this mismatch warrants caution.
目的
The name/description match the content: the skill aims to produce evidence checklists and automated collection scripts for cloud, GitHub, and IdP platforms. That capability is coherent with the stated purpose. However, generating runnable collection scripts for multiple platforms inherently requires credentials, API tokens or console access that are not described in the metadata (no required env vars or config paths). The absence of any declar…
说明范围
The SKILL.md instructs the agent to generate scripts and instructions to export logs, IAM mappings, terraform state, console configs, HR exports, calendar screenshots, and other sensitive artifacts across cloud providers and IdPs. Those instructions imply collection of highly sensitive data (credentials, logs, PII). The document does not explicitly constrain what the agent may ask for or where collected evidence may be sent; it also does not r…
安装机制
This is an instruction-only skill with no install spec and no bundled code — low disk footprint and no remote install URLs. That minimizes supply-chain risk from the package itself.
证书
The skill will need access to cloud consoles, IdPs, GitHub, HR systems, and possibly on-prem systems to collect evidence, but the registry metadata declares no required environment variables, credentials, or config paths. That mismatch means the skill either expects interactive credential entry, will produce scripts that require credentials, or will instruct the user to run commands themselves — the SKILL.md does not make the handling, scoping…
持久
The skill is not marked always:true and does not request any system-level persistence. It is user-invocable and allows model invocation (normal default). There is no evidence in the package of attempts to modify other skills or system-wide agent settings.
安装(复制给龙虾 AI)
将下方整段复制到龙虾中文库对话中,由龙虾按 SKILL.md 完成安装。
请把本段交给龙虾中文库(龙虾 AI)执行:为本机安装 OpenClaw 技能「Soc2 Evidence Collector」。简介:Generate SOC2 evidence collection checklists, automate evidence gathering scrip…。
请 fetch 以下地址读取 SKILL.md 并按文档完成安装:https://raw.githubusercontent.com/openclaw/skills/refs/heads/main/skills/afrexai-cto/afrexai-soc2-evidence-collector/SKILL.md
(来源:yingzhi8.cn 技能库)SKILL.md
---
name: soc2-evidence-collector
description: >
Generate SOC2 evidence collection checklists, automate evidence gathering scripts,
and produce audit-ready evidence packages. Covers all 5 Trust Service Criteria
(Security, Availability, Processing Integrity, Confidentiality, Privacy).
Use when preparing for SOC2 Type I/II audits, maintaining continuous compliance,
or building evidence collection automation. Built by AfrexAI.
metadata:
version: 1.0.0
author: AfrexAI
tags: [soc2, compliance, audit, security, evidence-collection, enterprise]
---
# SOC2 Evidence Collector
Automate evidence gathering for SOC2 Type I and Type II audits across all 5 Trust Service Criteria.
## When to Use
- Preparing for an upcoming SOC2 audit (Type I or Type II)
- Building continuous compliance evidence pipelines
- Auditor requests evidence and you need to gather it fast
- Onboarding a new client who requires SOC2 compliance proof
- Annual evidence refresh cycle
- Gap analysis before engaging an audit firm
## Input
Gather these from the user before generating:
### Required
1. **Audit type**: Type I (point-in-time) or Type II (over a period, typically 3-12 months)
2. **Trust Service Criteria in scope**: Security (CC — always required), plus any of: Availability, Processing Integrity, Confidentiality, Privacy
3. **Cloud provider(s)**: AWS, GCP, Azure, multi-cloud, on-prem, hybrid
4. **Primary tech stack**: languages, frameworks, CI/CD, IaC tools
5. **Team size**: engineering + ops headcount
### Optional
- Current compliance certifications (ISO 27001, HIPAA, PCI-DSS, etc.)
- Audit firm name and timeline
- Previous audit findings or gaps
- Specific control frameworks already mapped (NIST 800-53, CIS, etc.)
- SSO/IdP provider (Okta, Azure AD, Google Workspace, etc.)
## Evidence Categories
### CC — Common Criteria (Security) — Always In Scope
#### CC1: Control Environment
| Evidence | Source | Collection Method |
|----------|--------|-------------------|
| Org chart with security roles | HR system / Confluence | Manual export quarterly |
| Security policy documents | Policy repo / wiki | Git log showing annual review |
| Code of conduct acknowledgments | HR system | Export signed acknowledgments |
| Board/management meeting minutes on security | Calendar + notes | Screenshot + agenda export |
| Risk assessment documentation | GRC tool / spreadsheet | Export current risk register |
#### CC2: Communication and Information
| Evidence | Source | Collection Method |
|----------|--------|-------------------|
| Security awareness training records | LMS / training platform | Completion report export |
| Onboarding security checklist | HR system | Template + completion logs |
| Incident communication procedures | Runbook / wiki | Version-controlled doc with review history |
| External communication policies | Policy repo | Git log + approval records |
#### CC3: Risk Assessment
| Evidence | Source | Collection Method |
|----------|--------|-------------------|
| Annual risk assessment report | GRC tool | PDF export with sign-off |
| Vendor risk assessments | Vendor management tool | Export assessment records |
| Penetration test reports | Security vendor | PDF reports with remediation tracking |
| Vulnerability scan results | Scanner (Qualys, Nessus, etc.) | Automated export, monthly |
#### CC4: Monitoring Activities
| Evidence | Source | Collection Method |
|----------|--------|-------------------|
| SIEM dashboards and alert configs | Datadog / Splunk / CloudWatch | Screenshot + config export |
| Uptime monitoring evidence | Pingdom / Datadog / UptimeRobot | Monthly uptime reports |
| Log retention configuration | Cloud provider console | Config export / IaC snippet |
| Anomaly detection rules | SIEM / monitoring tool | Rule export with change log |
#### CC5: Control Activities
| Evidence | Source | Collection Method |
|----------|--------|-------------------|
| Access control matrix | IdP / IAM console | Export user-role mappings |
| MFA enforcement evidence | IdP admin console | Policy config screenshot |
| Firewall / security group rules | Cloud console / IaC | `terraform state` or console export |
| Encryption at rest configuration | Cloud console / IaC | Config export showing encryption enabled |
| Encryption in transit (TLS) | Load balancer / CDN config | Certificate + config export |
#### CC6: Logical and Physical Access Controls
| Evidence | Source | Collection Method |
|----------|--------|-------------------|
| User access reviews (quarterly) | IdP + spreadsheet | Review meeting notes + updated access list |
| Terminated user deprovisioning | IdP audit log | Export showing timely deactivation |
| SSH key / credential rotation logs | Secrets manager | Rotation event logs |
| Physical access logs (if applicable) | Building management | Badge access reports |
#### CC7: System Operations
| Evidence | Source | Collection Method |
|----------|--------|-------------------|
| Change management records | Jira / GitHub PRs | Export merged PRs with approvals |
| CI/CD pipeline configuration | GitHub Actions / CircleCI | Config file export from repo |
| Deployment approval process | PR review settings | Branch protection rule screenshots |
| Incident response logs | PagerDuty / Opsgenie | Incident timeline exports |
| Backup configuration and test results | Cloud console / IaC | Backup policy + restore test logs |
#### CC8: Change Management
| Evidence | Source | Collection Method |
|----------|--------|-------------------|
| PR review requirements | GitHub / GitLab settings | Branch protection config |
| Code review evidence | GitHub PR history | Export PRs with review comments |
| Release notes / changelogs | Repo | CHANGELOG.md with version history |
| Rollback procedures | Runbook | Documented procedure with test evidence |
#### CC9: Risk Mitigation
| Evidence | Source | Collection Method |
|----------|--------|-------------------|
| Business continuity plan | Policy repo | Document with annual review evidence |
| Disaster recovery test results | DR runbook | Test execution logs + results |
| Insurance certificates | Finance / legal | Current certificate copies |
| Sub-processor agreements | Legal / contract management | Signed DPAs + vendor list |
### A — Availability (If In Scope)
| Evidence | Source | Collection Method |
|----------|--------|-------------------|
| SLA definitions and monitoring | Product docs + monitoring | SLA doc + uptime dashboard exports |
| Capacity planning documentation | Architecture docs | Quarterly capacity review notes |
| Auto-scaling configuration | Cloud console / IaC | Config export |
| Incident response SLA adherence | PagerDuty / incident tracker | Response time reports |
| Redundancy / failover configuration | Cloud architecture | Architecture diagram + failover test logs |
### PI — Processing Integrity (If In Scope)
| Evidence | Source | Collection Method |
|----------|--------|-------------------|
| Data validation rules | Application code / config | Code snippets + test results |
| QA / testing procedures | CI/CD pipeline | Test suite config + pass/fail reports |
| Error handling and correction procedures | Runbook / code | Error handling docs + incident examples |
| Data reconciliation reports | Application logs / reports | Monthly reconciliation output |
### C — Confidentiality (If In Scope)
| Evidence | Source | Collection Method |
|----------|--------|-------------------|
| Data classification policy | Policy repo | Document with review history |
| NDA / confidentiality agreements | Legal / HR | Signed agreement copies |
| Data retention and disposal policy | Policy repo | Policy doc + disposal logs |
| DLP tool configuration | DLP tool admin | Config export + alert samples |
### P — Privacy (If In Scope)
| Evidence | Source | Collection Method |
|----------|--------|-------------------|
| Privacy policy (public) | Website | URL + version history |
| Data processing agreements | Legal | Signed DPAs |
| Consent management records | CMP / application | Consent log exports |
| Data subject request procedures | Policy repo / ticketing | Procedure doc + DSR ticket samples |
| Privacy impact assessments | GRC tool / docs | PIA reports for high-risk processing |
## Automation Scripts
When the user's stack is identified, generate shell scripts for automated evidence collection:
### AWS Evidence Collection (example)
```bash
#!/bin/bash
# SOC2 Evidence Collector — AWS
# Generated by AfrexAI SOC2 Evidence Collector skill
set -euo pipefail
EVIDENCE_DIR="soc2-evidence/$(date +%Y-%m-%d)"
mkdir -p "$EVIDENCE_DIR"/{iam,network,encryption,logging,compute}
echo "=== CC5: Access Controls ==="
aws iam get-account-summary > "$EVIDENCE_DIR/iam/account-summary.json"
aws iam generate-credential-report && sleep 5
aws iam get-credential-report --output text --query Content | base64 -d > "$EVIDENCE_DIR/iam/credential-report.csv"
aws iam list-users --output json > "$EVIDENCE_DIR/iam/users.json"
aws iam list-policies --scope Local --output json > "$EVIDENCE_DIR/iam/custom-policies.json"
echo "=== CC5: Encryption at Rest ==="
aws rds describe-db-instances --query 'DBInstances[*].{ID:DBInstanceIdentifier,Encrypted:StorageEncrypted,KmsKey:KmsKeyId}' > "$EVIDENCE_DIR/encryption/rds-encryption.json"
aws s3api list-buckets --query 'Buckets[*].Name' --output text | tr 't' 'n' | while read bucket; do
aws s3api get-bucket-encryption --bucket "$bucket" >> "$EVIDENCE_DIR/encryption/s3-encryption.json" 2>/dev/null || echo "{"bucket":"$bucket","encryption":"NONE"}" >> "$EVIDENCE_DIR/encryption/s3-encryption.json"
done
echo "=== CC4: Logging ==="
aws cloudtrail describe-trails > "$EVIDENCE_DIR/logging/cloudtrail-config.json"
aws cloudwatch describe-alarms --state-value ALARM > "$EVIDENCE_DIR/logging/active-alarms.json"
echo "=== CC5: Network Security ==="
aws ec2 describe-security-groups > "$EVIDENCE_DIR/network/security-groups.json"
aws ec2 describe-vpcs > "$EVIDENCE_DIR/network/vpcs.json"
echo "=== CC6: MFA Status ==="
aws iam list-virtual-mfa-devices > "$EVIDENCE_DIR/iam/mfa-devices.json"
echo "Evidence collected in $EVIDENCE_DIR"
echo "Review and redact sensitive values before sharing with auditors."
```
### GitHub Evidence Collection (example)
```bash
#!/bin/bash
# SOC2 Evidence Collector — GitHub
set -euo pipefail
ORG="${1:?Usage: $0 <github-org>}"
EVIDENCE_DIR="soc2-evidence/$(date +%Y-%m-%d)/github"
mkdir -p "$EVIDENCE_DIR"
echo "=== CC8: Branch Protection ==="
gh api "/orgs/$ORG/repos" --paginate --jq '.[].name' | while read repo; do
gh api "/repos/$ORG/$repo/branches/main/protection" 2>/dev/null > "$EVIDENCE_DIR/${repo}-branch-protection.json" || true
done
echo "=== CC7: Recent Deployments ==="
gh api "/orgs/$ORG/repos" --paginate --jq '.[].name' | head -10 | while read repo; do
gh api "/repos/$ORG/$repo/deployments?per_page=10" > "$EVIDENCE_DIR/${repo}-deployments.json" 2>/dev/null || true
done
echo "=== CC8: PR Review Evidence ==="
gh api "/orgs/$ORG/repos" --paginate --jq '.[].name' | head -10 | while read repo; do
gh pr list --repo "$ORG/$repo" --state merged --limit 20 --json number,title,mergedAt,reviewDecision > "$EVIDENCE_DIR/${repo}-merged-prs.json" 2>/dev/null || true
done
echo "=== CC5: Org Security Settings ==="
gh api "/orgs/$ORG" --jq '{two_factor_requirement: .two_factor_requirement_enabled, default_permissions: .default_repository_permission}' > "$EVIDENCE_DIR/org-security.json"
echo "Evidence collected in $EVIDENCE_DIR"
```
## Output Format
Generate a structured evidence package:
```
soc2-evidence/
├── README.md # Overview, scope, period, auditor info
├── evidence-matrix.md # Full checklist with status (collected/pending/N-A)
├── collection-scripts/
│ ├── collect-aws.sh
│ ├── collect-github.sh
│ ├── collect-idp.sh
│ └── collect-monitoring.sh
├── gap-analysis.md # Missing evidence + remediation steps
└── schedule.md # Evidence collection calendar (what to refresh when)
```
### evidence-matrix.md Format
```markdown
| # | Control | Evidence | Status | Source | Last Collected | Notes |
|---|---------|----------|--------|--------|---------------|-------|
| CC1.1 | Org chart | org-chart-2026-Q1.pdf | ✅ Collected | HR export | 2026-01-15 | |
| CC5.3 | MFA enforcement | mfa-config.json | ✅ Automated | IdP API | 2026-03-17 | Script: collect-idp.sh |
| CC3.2 | Pen test report | — | ⏳ Pending | External vendor | — | Due 2026-04-01 |
```
## Workflow
1. Gather inputs (audit type, scope, stack, team size)
2. Generate the full evidence matrix for in-scope criteria
3. Mark known evidence sources based on their stack
4. Generate collection scripts for automated gathering
5. Identify gaps and generate remediation recommendations
6. Create an evidence collection schedule (daily/weekly/monthly/quarterly)
7. Output the complete evidence package
## Tips for Users
- **Start 3-6 months before audit**: evidence gaps take time to fill
- **Automate early**: scripts that run monthly save panic before audit
- **Version everything**: auditors love seeing change history
- **Don't fake it**: missing evidence is better than fabricated evidence
- **Continuous > point-in-time**: Type II requires sustained evidence over the audit period
- **Tag evidence**: use consistent naming so auditors can self-serve
## AfrexAI Note
This skill generates the framework and automation scaffolding. For hands-on SOC2 audit preparation with managed AI agents handling continuous evidence collection, monitoring, and auditor coordination — that's what AfrexAI's AI-as-a-Service delivers. Contact us at hello@afrexai.com.