Tencent SkillHub · Security & Compliance

SOC 2 AI Agent Compliance

Guides organizations through SOC 2 compliance lifecycle with gap analysis, control implementation, evidence collection, audit prep, and continuous monitoring.

skill openclawclawhub Free

0 Downloads

0 Stars

0 Installs

0 Score

High Signal

Guides organizations through SOC 2 compliance lifecycle with gap analysis, control implementation, evidence collection, audit prep, and continuous monitoring.

⬇ 0 downloads ★ 0 stars Unverified but indexed

Install for OpenClaw

Quick setup

Download the package from Yavira.
Extract the archive and review SKILL.md first.
Import or place the package into your OpenClaw setup.

Requirements

Target platform: OpenClaw
Install method: Manual import
Extraction: Extract archive
Prerequisites: OpenClaw
Primary doc: SKILL.md

Package facts

Download mode: Yavira redirect
Package format: ZIP package
Source platform: Tencent SkillHub
What's included: README.md, SKILL.md

Validation

Use the Yavira download entry.
Review SKILL.md after the package is downloaded.
Confirm the extracted package contains the expected setup assets.

Install with your agent

Agent handoff

Hand the extracted package to your coding agent with a concrete install brief instead of figuring it out manually.

Download the package from Yavira.
Extract it into a folder your agent can access.
Paste one of the prompts below and point your agent at the extracted folder.

New install

I downloaded a skill package from Yavira. Read SKILL.md from the extracted folder and install it by following the included instructions. Then review README.md for any prerequisites, environment setup, or post-install checks. Tell me what you changed and call out any manual steps you could not complete.

Upgrade existing

I downloaded an updated skill package from Yavira. Read SKILL.md from the extracted folder, compare it with my current installation, and upgrade it while preserving any custom configuration unless the package docs explicitly say otherwise. Then review README.md for any prerequisites, environment setup, or post-install checks. Summarize what changed and any follow-up checks I should run.

Open Send to Agent page Open JSON manifest Open Markdown brief

Trust & source

Release facts

Source: Tencent SkillHub
Verification: Indexed source record
Version: 1.0.0

Provenance

Publisher: 1kalin
Source page: View original listing
Canonical URL: Open canonical page

Documentation

ClawHub primary doc Primary doc: SKILL.md 21 sections Open source page

SOC 2 Compliance Accelerator

Your agent for achieving and maintaining SOC 2 Type I and Type II compliance — from readiness assessment through audit completion.

What This Does

Guides organizations through the full SOC 2 lifecycle: gap analysis, control implementation, evidence collection, audit prep, and continuous monitoring. Covers all 5 Trust Service Criteria with practical implementation steps.

How to Use

Tell your agent what stage you're at: "Run SOC 2 readiness assessment" — 64-point gap analysis across all Trust Service Criteria "Build SOC 2 control matrix" — Maps controls to criteria with ownership and evidence requirements "Create SOC 2 evidence collection plan" — Automated and manual evidence gathering schedule "Prepare for SOC 2 audit" — Auditor-ready documentation package checklist "SOC 2 continuous monitoring dashboard" — Ongoing compliance tracking after certification

CC — Common Criteria (Security) — Required

CC1: Control Environment (tone at top, org structure, accountability) CC2: Communication & Information (internal/external, system boundaries) CC3: Risk Assessment (risk identification, fraud risk, change impact) CC4: Monitoring Activities (ongoing evaluations, deficiency reporting) CC5: Control Activities (policies, technology controls, deployment) CC6: Logical & Physical Access (access management, authentication, physical security) CC7: System Operations (vulnerability management, incident response, recovery) CC8: Change Management (change authorization, testing, approval) CC9: Risk Mitigation (vendor management, business continuity)

Optional Criteria

Availability (A1): Uptime SLAs, DR/BCP, capacity planning Processing Integrity (PI1): Data accuracy, completeness, timeliness Confidentiality (C1): Classification, encryption, retention, disposal Privacy (P1): Notice, consent, collection, use, disclosure, access

Phase 1: Scoping (Week 1)

System Description Checklist: □ Infrastructure components (cloud, on-prem, hybrid) □ Software stack (applications, databases, middleware) □ People (roles, responsibilities, third parties) □ Procedures (operational, security, change management) □ Data flows (ingress, processing, storage, egress) □ Trust Service Criteria selection (Security + which optional?) □ Subservice organizations (cloud providers, SaaS tools) □ Carve-out vs inclusive method for subservice orgs

Phase 2: Gap Analysis (Weeks 2-3)

Score each control area 1-5: 1 — Not Started: No policy, no process, no evidence 2 — Ad Hoc: Informal processes exist but undocumented 3 — Defined: Documented but inconsistent execution 4 — Managed: Documented, executed, some evidence 5 — Optimized: Automated, monitored, auditable evidence Priority Matrix: Gap ScoreActionTimeline1-2Critical — implement immediately2-4 weeks3Important — formalize and document1-2 weeks4Minor — fill evidence gaps3-5 days5Maintain — continue monitoringOngoing

Phase 3: Remediation (Weeks 3-10)

For each gap: 1. Assign control owner (by name, not role) 2. Define implementation steps 3. Set evidence collection method (automated preferred) 4. Establish testing cadence 5. Document exception handling process

Must-Have Controls (Week 1-4)

Access Management: SSO, MFA on all systems, quarterly access reviews Encryption: TLS 1.2+ in transit, AES-256 at rest, key management Logging: Centralized logging, 90-day retention minimum, tamper-evident Incident Response: Documented plan, defined roles, tested annually Change Management: Approval workflows, code review, deployment gates Vendor Management: Vendor inventory, risk assessments, SOC 2 reports from critical vendors Employee Security: Background checks, security awareness training, acceptable use policy Vulnerability Management: Regular scanning, patch cadence (critical <72hrs), penetration testing

Should-Have Controls (Week 4-8)

Business Continuity: DR plan, RTO/RPO defined, tested semi-annually Data Classification: 4-tier model (Public, Internal, Confidential, Restricted) Network Security: Segmentation, IDS/IPS, WAF for web applications Endpoint Protection: EDR, device encryption, MDM for mobile

Nice-to-Have Controls (Week 8+)

Security Metrics Dashboard: Real-time compliance posture Automated Compliance Monitoring: Continuous control testing Zero Trust Architecture: Beyond perimeter security

Automated Evidence (Set Once, Collect Forever)

ControlEvidence SourceTool ExamplesAccess ReviewsIAM exportsOkta, Azure AD, AWS IAMEncryptionConfig snapshotsAWS Config, CloudTrailLoggingLog aggregationDatadog, Splunk, ELKVulnerability ScansScan reportsQualys, Nessus, SnykChange ManagementPR/deploy historyGitHub, GitLab, JiraUptimeMonitoring dashboardsDatadog, PagerDuty

Manual Evidence (Scheduled Collection)

ControlEvidence TypeFrequencyBackground ChecksHR recordsPer hireSecurity TrainingCompletion certificatesAnnualRisk AssessmentAssessment documentAnnualPen TestingReportAnnualDR TestingTest resultsSemi-annualBoard/Mgmt ReviewMeeting minutesQuarterlyVendor ReviewsAssessment recordsAnnualPolicy ReviewsVersion historyAnnual

Type I (Point-in-Time) — 8-12 weeks total

Week 1-2: Auditor selection + engagement letter Week 2-4: System description draft Week 4-6: Control documentation + evidence prep Week 6-8: Fieldwork (auditor testing) Week 8-10: Draft report review Week 10-12: Final report issued

Type II (Period of Time) — 3-12 month observation + 4-6 weeks fieldwork

Month 1: Observation period begins (minimum 3 months, recommend 6-12) Ongoing: Evidence collection, control operation Month 3-12: Observation period ends +Week 1-2: Fieldwork scheduling +Week 2-4: Fieldwork (testing over observation period) +Week 4-6: Draft report + final report

Cost Framework

Company SizeType IType IIAnnual MaintenanceStartup (<50)$20K-$50K$30K-$80K$15K-$40KMid-Market (50-500)$40K-$100K$60K-$150K$30K-$80KEnterprise (500+)$80K-$200K$120K-$300K$60K-$150K Includes: auditor fees, tooling, personnel time, remediation costs. Hidden costs to budget: Compliance automation platform: $10K-$50K/year Additional security tooling: $5K-$30K/year Personnel time (internal): 200-800 hours Policy/procedure writing (if outsourced): $5K-$20K

Common Audit Findings (Avoid These)

Access not revoked within 24 hours of termination — #1 finding Missing or incomplete risk assessment — annual requirement No evidence of management review — need meeting minutes Incomplete vendor management — missing SOC reports from critical vendors Inconsistent change management — emergency changes without retroactive approval Security training gaps — new hires not trained within 30 days Logging gaps — not all in-scope systems sending to central logging

AI Agent SOC 2 Considerations (2026)

When deploying AI agents in SOC 2 environments: Data boundaries: Agents must not access data outside their defined scope Audit trail: All agent actions must be logged and attributable Access controls: Agent service accounts need same rigor as human accounts Model governance: Document which models process customer data Prompt injection defense: Part of CC7 (system operations) controls Output validation: Processing integrity controls for agent outputs

Industry-Specific Requirements

IndustryExtra CriteriaKey ControlsFintechAll 5 TSC typicalSOX mapping, encryption everywhere, PCI if paymentsHealthcarePrivacy, ConfidentialityHIPAA crosswalk, BAAs, PHI handlingSaaSAvailability, ConfidentialityMulti-tenant isolation, SLA complianceLegalConfidentiality, PrivacyPrivilege protection, matter isolationConstructionSecurity, AvailabilityField data protection, offline capabilityE-commerceAll 5 TSC typicalPCI DSS alignment, transaction integrity

7 SOC 2 Mistakes That Cost Companies 6+ Months

Starting with Type II — Get Type I first, prove controls work, then observe Scoping too broadly — Only include systems that touch customer data Choosing the wrong auditor — Pick one who knows your industry Manual evidence collection — Automate from day 1 or drown in spreadsheets Treating it as a project, not a program — SOC 2 is continuous Ignoring subservice organizations — Your cloud provider's SOC 2 matters No executive sponsor — Compliance without budget authority = failure

Get the Full Implementation Package

This skill gives you the framework. For industry-specific compliance playbooks with regulatory crosswalks, cost models, and vendor selection guides: 🔗 AfrexAI Context Packs — $47 per industry vertical Available packs: Fintech, Healthcare, Legal, Construction, E-commerce, SaaS, Real Estate, Recruitment, Manufacturing, Professional Services 🔗 AI Revenue Leak Calculator — Find where compliance gaps cost you money 🔗 Agent Setup Wizard — Deploy compliance monitoring agents in minutes Bundle pricing: Pick 3 packs: $97 All 10 packs: $197 Everything bundle: $247

Category context

Identity, auth, scanning, governance, audit, and operational guardrails.

Source: Tencent SkillHub

Largest current source with strong distribution and engagement signals.

Package contents

Included in package

2 Docs

SKILL.md Primary doc
README.md Docs