{ "schemaVersion": "1.0", "item": { "slug": "afrexai-soc2-compliance", "name": "SOC 2 AI Agent Compliance", "source": "tencent", "type": "skill", "category": "安全合规", "sourceUrl": "https://clawhub.ai/1kalin/afrexai-soc2-compliance", "canonicalUrl": "https://clawhub.ai/1kalin/afrexai-soc2-compliance", "targetPlatform": "OpenClaw" }, "install": { "downloadMode": "redirect", "downloadUrl": "/downloads/afrexai-soc2-compliance", "sourceDownloadUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=afrexai-soc2-compliance", "sourcePlatform": "tencent", "targetPlatform": "OpenClaw", "installMethod": "Manual import", "extraction": "Extract archive", "prerequisites": [ "OpenClaw" ], "packageFormat": "ZIP package", "includedAssets": [ "README.md", "SKILL.md" ], "primaryDoc": "SKILL.md", "quickSetup": [ "Download the package from Yavira.", "Extract the archive and review SKILL.md first.", "Import or place the package into your OpenClaw setup." ], "agentAssist": { "summary": "Hand the extracted package to your coding agent with a concrete install brief instead of figuring it out manually.", "steps": [ "Download the package from Yavira.", "Extract it into a folder your agent can access.", "Paste one of the prompts below and point your agent at the extracted folder." ], "prompts": [ { "label": "New install", "body": "I downloaded a skill package from Yavira. Read SKILL.md from the extracted folder and install it by following the included instructions. Then review README.md for any prerequisites, environment setup, or post-install checks. Tell me what you changed and call out any manual steps you could not complete." }, { "label": "Upgrade existing", "body": "I downloaded an updated skill package from Yavira. Read SKILL.md from the extracted folder, compare it with my current installation, and upgrade it while preserving any custom configuration unless the package docs explicitly say otherwise. Then review README.md for any prerequisites, environment setup, or post-install checks. Summarize what changed and any follow-up checks I should run." } ] }, "sourceHealth": { "source": "tencent", "status": "healthy", "reason": "direct_download_ok", "recommendedAction": "download", "checkedAt": "2026-04-23T16:43:11.935Z", "expiresAt": "2026-04-30T16:43:11.935Z", "httpStatus": 200, "finalUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=4claw-imageboard", "contentType": "application/zip", "probeMethod": "head", "details": { "probeUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=4claw-imageboard", "contentDisposition": "attachment; filename=\"4claw-imageboard-1.0.1.zip\"", "redirectLocation": null, "bodySnippet": null }, "scope": "source", "summary": "Source download looks usable.", "detail": "Yavira can redirect you to the upstream package for this source.", "primaryActionLabel": "Download for OpenClaw", "primaryActionHref": "/downloads/afrexai-soc2-compliance" }, "validation": { "installChecklist": [ "Use the Yavira download entry.", "Review SKILL.md after the package is downloaded.", "Confirm the extracted package contains the expected setup assets." ], "postInstallChecks": [ "Confirm the extracted package includes the expected docs or setup files.", "Validate the skill or prompts are available in your target agent workspace.", "Capture any manual follow-up steps the agent could not complete." ] }, "downloadPageUrl": "https://openagent3.xyz/downloads/afrexai-soc2-compliance", "agentPageUrl": "https://openagent3.xyz/skills/afrexai-soc2-compliance/agent", "manifestUrl": "https://openagent3.xyz/skills/afrexai-soc2-compliance/agent.json", "briefUrl": "https://openagent3.xyz/skills/afrexai-soc2-compliance/agent.md" }, "agentAssist": { "summary": "Hand the extracted package to your coding agent with a concrete install brief instead of figuring it out manually.", "steps": [ "Download the package from Yavira.", "Extract it into a folder your agent can access.", "Paste one of the prompts below and point your agent at the extracted folder." ], "prompts": [ { "label": "New install", "body": "I downloaded a skill package from Yavira. Read SKILL.md from the extracted folder and install it by following the included instructions. Then review README.md for any prerequisites, environment setup, or post-install checks. Tell me what you changed and call out any manual steps you could not complete." }, { "label": "Upgrade existing", "body": "I downloaded an updated skill package from Yavira. Read SKILL.md from the extracted folder, compare it with my current installation, and upgrade it while preserving any custom configuration unless the package docs explicitly say otherwise. Then review README.md for any prerequisites, environment setup, or post-install checks. Summarize what changed and any follow-up checks I should run." } ] }, "documentation": { "source": "clawhub", "primaryDoc": "SKILL.md", "sections": [ { "title": "SOC 2 Compliance Accelerator", "body": "Your agent for achieving and maintaining SOC 2 Type I and Type II compliance — from readiness assessment through audit completion." }, { "title": "What This Does", "body": "Guides organizations through the full SOC 2 lifecycle: gap analysis, control implementation, evidence collection, audit prep, and continuous monitoring. Covers all 5 Trust Service Criteria with practical implementation steps." }, { "title": "How to Use", "body": "Tell your agent what stage you're at:\n\n\"Run SOC 2 readiness assessment\" — 64-point gap analysis across all Trust Service Criteria\n\"Build SOC 2 control matrix\" — Maps controls to criteria with ownership and evidence requirements\n\"Create SOC 2 evidence collection plan\" — Automated and manual evidence gathering schedule\n\"Prepare for SOC 2 audit\" — Auditor-ready documentation package checklist\n\"SOC 2 continuous monitoring dashboard\" — Ongoing compliance tracking after certification" }, { "title": "CC — Common Criteria (Security) — Required", "body": "CC1: Control Environment (tone at top, org structure, accountability)\nCC2: Communication & Information (internal/external, system boundaries)\nCC3: Risk Assessment (risk identification, fraud risk, change impact)\nCC4: Monitoring Activities (ongoing evaluations, deficiency reporting)\nCC5: Control Activities (policies, technology controls, deployment)\nCC6: Logical & Physical Access (access management, authentication, physical security)\nCC7: System Operations (vulnerability management, incident response, recovery)\nCC8: Change Management (change authorization, testing, approval)\nCC9: Risk Mitigation (vendor management, business continuity)" }, { "title": "Optional Criteria", "body": "Availability (A1): Uptime SLAs, DR/BCP, capacity planning\nProcessing Integrity (PI1): Data accuracy, completeness, timeliness\nConfidentiality (C1): Classification, encryption, retention, disposal\nPrivacy (P1): Notice, consent, collection, use, disclosure, access" }, { "title": "Phase 1: Scoping (Week 1)", "body": "System Description Checklist:\n□ Infrastructure components (cloud, on-prem, hybrid)\n□ Software stack (applications, databases, middleware)\n□ People (roles, responsibilities, third parties)\n□ Procedures (operational, security, change management)\n□ Data flows (ingress, processing, storage, egress)\n□ Trust Service Criteria selection (Security + which optional?)\n□ Subservice organizations (cloud providers, SaaS tools)\n□ Carve-out vs inclusive method for subservice orgs" }, { "title": "Phase 2: Gap Analysis (Weeks 2-3)", "body": "Score each control area 1-5:\n\n1 — Not Started: No policy, no process, no evidence\n2 — Ad Hoc: Informal processes exist but undocumented\n3 — Defined: Documented but inconsistent execution\n4 — Managed: Documented, executed, some evidence\n5 — Optimized: Automated, monitored, auditable evidence\n\nPriority Matrix:\n\nGap ScoreActionTimeline1-2Critical — implement immediately2-4 weeks3Important — formalize and document1-2 weeks4Minor — fill evidence gaps3-5 days5Maintain — continue monitoringOngoing" }, { "title": "Phase 3: Remediation (Weeks 3-10)", "body": "For each gap:\n1. Assign control owner (by name, not role)\n2. Define implementation steps\n3. Set evidence collection method (automated preferred)\n4. Establish testing cadence\n5. Document exception handling process" }, { "title": "Must-Have Controls (Week 1-4)", "body": "Access Management: SSO, MFA on all systems, quarterly access reviews\nEncryption: TLS 1.2+ in transit, AES-256 at rest, key management\nLogging: Centralized logging, 90-day retention minimum, tamper-evident\nIncident Response: Documented plan, defined roles, tested annually\nChange Management: Approval workflows, code review, deployment gates\nVendor Management: Vendor inventory, risk assessments, SOC 2 reports from critical vendors\nEmployee Security: Background checks, security awareness training, acceptable use policy\nVulnerability Management: Regular scanning, patch cadence (critical <72hrs), penetration testing" }, { "title": "Should-Have Controls (Week 4-8)", "body": "Business Continuity: DR plan, RTO/RPO defined, tested semi-annually\nData Classification: 4-tier model (Public, Internal, Confidential, Restricted)\nNetwork Security: Segmentation, IDS/IPS, WAF for web applications\nEndpoint Protection: EDR, device encryption, MDM for mobile" }, { "title": "Nice-to-Have Controls (Week 8+)", "body": "Security Metrics Dashboard: Real-time compliance posture\nAutomated Compliance Monitoring: Continuous control testing\nZero Trust Architecture: Beyond perimeter security" }, { "title": "Automated Evidence (Set Once, Collect Forever)", "body": "ControlEvidence SourceTool ExamplesAccess ReviewsIAM exportsOkta, Azure AD, AWS IAMEncryptionConfig snapshotsAWS Config, CloudTrailLoggingLog aggregationDatadog, Splunk, ELKVulnerability ScansScan reportsQualys, Nessus, SnykChange ManagementPR/deploy historyGitHub, GitLab, JiraUptimeMonitoring dashboardsDatadog, PagerDuty" }, { "title": "Manual Evidence (Scheduled Collection)", "body": "ControlEvidence TypeFrequencyBackground ChecksHR recordsPer hireSecurity TrainingCompletion certificatesAnnualRisk AssessmentAssessment documentAnnualPen TestingReportAnnualDR TestingTest resultsSemi-annualBoard/Mgmt ReviewMeeting minutesQuarterlyVendor ReviewsAssessment recordsAnnualPolicy ReviewsVersion historyAnnual" }, { "title": "Type I (Point-in-Time) — 8-12 weeks total", "body": "Week 1-2: Auditor selection + engagement letter\nWeek 2-4: System description draft\nWeek 4-6: Control documentation + evidence prep\nWeek 6-8: Fieldwork (auditor testing)\nWeek 8-10: Draft report review\nWeek 10-12: Final report issued" }, { "title": "Type II (Period of Time) — 3-12 month observation + 4-6 weeks fieldwork", "body": "Month 1: Observation period begins (minimum 3 months, recommend 6-12)\nOngoing: Evidence collection, control operation\nMonth 3-12: Observation period ends\n+Week 1-2: Fieldwork scheduling\n+Week 2-4: Fieldwork (testing over observation period)\n+Week 4-6: Draft report + final report" }, { "title": "Cost Framework", "body": "Company SizeType IType IIAnnual MaintenanceStartup (<50)$20K-$50K$30K-$80K$15K-$40KMid-Market (50-500)$40K-$100K$60K-$150K$30K-$80KEnterprise (500+)$80K-$200K$120K-$300K$60K-$150K\n\nIncludes: auditor fees, tooling, personnel time, remediation costs.\n\nHidden costs to budget:\n\nCompliance automation platform: $10K-$50K/year\nAdditional security tooling: $5K-$30K/year\nPersonnel time (internal): 200-800 hours\nPolicy/procedure writing (if outsourced): $5K-$20K" }, { "title": "Common Audit Findings (Avoid These)", "body": "Access not revoked within 24 hours of termination — #1 finding\nMissing or incomplete risk assessment — annual requirement\nNo evidence of management review — need meeting minutes\nIncomplete vendor management — missing SOC reports from critical vendors\nInconsistent change management — emergency changes without retroactive approval\nSecurity training gaps — new hires not trained within 30 days\nLogging gaps — not all in-scope systems sending to central logging" }, { "title": "AI Agent SOC 2 Considerations (2026)", "body": "When deploying AI agents in SOC 2 environments:\n\nData boundaries: Agents must not access data outside their defined scope\nAudit trail: All agent actions must be logged and attributable\nAccess controls: Agent service accounts need same rigor as human accounts\nModel governance: Document which models process customer data\nPrompt injection defense: Part of CC7 (system operations) controls\nOutput validation: Processing integrity controls for agent outputs" }, { "title": "Industry-Specific Requirements", "body": "IndustryExtra CriteriaKey ControlsFintechAll 5 TSC typicalSOX mapping, encryption everywhere, PCI if paymentsHealthcarePrivacy, ConfidentialityHIPAA crosswalk, BAAs, PHI handlingSaaSAvailability, ConfidentialityMulti-tenant isolation, SLA complianceLegalConfidentiality, PrivacyPrivilege protection, matter isolationConstructionSecurity, AvailabilityField data protection, offline capabilityE-commerceAll 5 TSC typicalPCI DSS alignment, transaction integrity" }, { "title": "7 SOC 2 Mistakes That Cost Companies 6+ Months", "body": "Starting with Type II — Get Type I first, prove controls work, then observe\nScoping too broadly — Only include systems that touch customer data\nChoosing the wrong auditor — Pick one who knows your industry\nManual evidence collection — Automate from day 1 or drown in spreadsheets\nTreating it as a project, not a program — SOC 2 is continuous\nIgnoring subservice organizations — Your cloud provider's SOC 2 matters\nNo executive sponsor — Compliance without budget authority = failure" }, { "title": "Get the Full Implementation Package", "body": "This skill gives you the framework. For industry-specific compliance playbooks with regulatory crosswalks, cost models, and vendor selection guides:\n\n🔗 AfrexAI Context Packs — $47 per industry vertical\n\nAvailable packs: Fintech, Healthcare, Legal, Construction, E-commerce, SaaS, Real Estate, Recruitment, Manufacturing, Professional Services\n\n🔗 AI Revenue Leak Calculator — Find where compliance gaps cost you money\n\n🔗 Agent Setup Wizard — Deploy compliance monitoring agents in minutes\n\nBundle pricing:\n\nPick 3 packs: $97\nAll 10 packs: $197\nEverything bundle: $247" } ], "body": "SOC 2 Compliance Accelerator\n\nYour agent for achieving and maintaining SOC 2 Type I and Type II compliance — from readiness assessment through audit completion.\n\nWhat This Does\n\nGuides organizations through the full SOC 2 lifecycle: gap analysis, control implementation, evidence collection, audit prep, and continuous monitoring. Covers all 5 Trust Service Criteria with practical implementation steps.\n\nHow to Use\n\nTell your agent what stage you're at:\n\n\"Run SOC 2 readiness assessment\" — 64-point gap analysis across all Trust Service Criteria\n\"Build SOC 2 control matrix\" — Maps controls to criteria with ownership and evidence requirements\n\"Create SOC 2 evidence collection plan\" — Automated and manual evidence gathering schedule\n\"Prepare for SOC 2 audit\" — Auditor-ready documentation package checklist\n\"SOC 2 continuous monitoring dashboard\" — Ongoing compliance tracking after certification\nTrust Service Criteria Coverage\nCC — Common Criteria (Security) — Required\nCC1: Control Environment (tone at top, org structure, accountability)\nCC2: Communication & Information (internal/external, system boundaries)\nCC3: Risk Assessment (risk identification, fraud risk, change impact)\nCC4: Monitoring Activities (ongoing evaluations, deficiency reporting)\nCC5: Control Activities (policies, technology controls, deployment)\nCC6: Logical & Physical Access (access management, authentication, physical security)\nCC7: System Operations (vulnerability management, incident response, recovery)\nCC8: Change Management (change authorization, testing, approval)\nCC9: Risk Mitigation (vendor management, business continuity)\nOptional Criteria\nAvailability (A1): Uptime SLAs, DR/BCP, capacity planning\nProcessing Integrity (PI1): Data accuracy, completeness, timeliness\nConfidentiality (C1): Classification, encryption, retention, disposal\nPrivacy (P1): Notice, consent, collection, use, disclosure, access\nReadiness Assessment Framework\nPhase 1: Scoping (Week 1)\nSystem Description Checklist:\n□ Infrastructure components (cloud, on-prem, hybrid)\n□ Software stack (applications, databases, middleware)\n□ People (roles, responsibilities, third parties)\n□ Procedures (operational, security, change management)\n□ Data flows (ingress, processing, storage, egress)\n□ Trust Service Criteria selection (Security + which optional?)\n□ Subservice organizations (cloud providers, SaaS tools)\n□ Carve-out vs inclusive method for subservice orgs\n\nPhase 2: Gap Analysis (Weeks 2-3)\n\nScore each control area 1-5:\n\n1 — Not Started: No policy, no process, no evidence\n2 — Ad Hoc: Informal processes exist but undocumented\n3 — Defined: Documented but inconsistent execution\n4 — Managed: Documented, executed, some evidence\n5 — Optimized: Automated, monitored, auditable evidence\n\nPriority Matrix:\n\nGap Score\tAction\tTimeline\n1-2\tCritical — implement immediately\t2-4 weeks\n3\tImportant — formalize and document\t1-2 weeks\n4\tMinor — fill evidence gaps\t3-5 days\n5\tMaintain — continue monitoring\tOngoing\nPhase 3: Remediation (Weeks 3-10)\nFor each gap:\n1. Assign control owner (by name, not role)\n2. Define implementation steps\n3. Set evidence collection method (automated preferred)\n4. Establish testing cadence\n5. Document exception handling process\n\nControl Implementation Priorities\nMust-Have Controls (Week 1-4)\nAccess Management: SSO, MFA on all systems, quarterly access reviews\nEncryption: TLS 1.2+ in transit, AES-256 at rest, key management\nLogging: Centralized logging, 90-day retention minimum, tamper-evident\nIncident Response: Documented plan, defined roles, tested annually\nChange Management: Approval workflows, code review, deployment gates\nVendor Management: Vendor inventory, risk assessments, SOC 2 reports from critical vendors\nEmployee Security: Background checks, security awareness training, acceptable use policy\nVulnerability Management: Regular scanning, patch cadence (critical <72hrs), penetration testing\nShould-Have Controls (Week 4-8)\nBusiness Continuity: DR plan, RTO/RPO defined, tested semi-annually\nData Classification: 4-tier model (Public, Internal, Confidential, Restricted)\nNetwork Security: Segmentation, IDS/IPS, WAF for web applications\nEndpoint Protection: EDR, device encryption, MDM for mobile\nNice-to-Have Controls (Week 8+)\nSecurity Metrics Dashboard: Real-time compliance posture\nAutomated Compliance Monitoring: Continuous control testing\nZero Trust Architecture: Beyond perimeter security\nEvidence Collection Guide\nAutomated Evidence (Set Once, Collect Forever)\nControl\tEvidence Source\tTool Examples\nAccess Reviews\tIAM exports\tOkta, Azure AD, AWS IAM\nEncryption\tConfig snapshots\tAWS Config, CloudTrail\nLogging\tLog aggregation\tDatadog, Splunk, ELK\nVulnerability Scans\tScan reports\tQualys, Nessus, Snyk\nChange Management\tPR/deploy history\tGitHub, GitLab, Jira\nUptime\tMonitoring dashboards\tDatadog, PagerDuty\nManual Evidence (Scheduled Collection)\nControl\tEvidence Type\tFrequency\nBackground Checks\tHR records\tPer hire\nSecurity Training\tCompletion certificates\tAnnual\nRisk Assessment\tAssessment document\tAnnual\nPen Testing\tReport\tAnnual\nDR Testing\tTest results\tSemi-annual\nBoard/Mgmt Review\tMeeting minutes\tQuarterly\nVendor Reviews\tAssessment records\tAnnual\nPolicy Reviews\tVersion history\tAnnual\nAudit Timeline\nType I (Point-in-Time) — 8-12 weeks total\nWeek 1-2: Auditor selection + engagement letter\nWeek 2-4: System description draft\nWeek 4-6: Control documentation + evidence prep\nWeek 6-8: Fieldwork (auditor testing)\nWeek 8-10: Draft report review\nWeek 10-12: Final report issued\n\nType II (Period of Time) — 3-12 month observation + 4-6 weeks fieldwork\nMonth 1: Observation period begins (minimum 3 months, recommend 6-12)\nOngoing: Evidence collection, control operation\nMonth 3-12: Observation period ends\n+Week 1-2: Fieldwork scheduling\n+Week 2-4: Fieldwork (testing over observation period)\n+Week 4-6: Draft report + final report\n\nCost Framework\nCompany Size\tType I\tType II\tAnnual Maintenance\nStartup (<50)\t$20K-$50K\t$30K-$80K\t$15K-$40K\nMid-Market (50-500)\t$40K-$100K\t$60K-$150K\t$30K-$80K\nEnterprise (500+)\t$80K-$200K\t$120K-$300K\t$60K-$150K\n\nIncludes: auditor fees, tooling, personnel time, remediation costs.\n\nHidden costs to budget:\n\nCompliance automation platform: $10K-$50K/year\nAdditional security tooling: $5K-$30K/year\nPersonnel time (internal): 200-800 hours\nPolicy/procedure writing (if outsourced): $5K-$20K\nCommon Audit Findings (Avoid These)\nAccess not revoked within 24 hours of termination — #1 finding\nMissing or incomplete risk assessment — annual requirement\nNo evidence of management review — need meeting minutes\nIncomplete vendor management — missing SOC reports from critical vendors\nInconsistent change management — emergency changes without retroactive approval\nSecurity training gaps — new hires not trained within 30 days\nLogging gaps — not all in-scope systems sending to central logging\nAI Agent SOC 2 Considerations (2026)\n\nWhen deploying AI agents in SOC 2 environments:\n\nData boundaries: Agents must not access data outside their defined scope\nAudit trail: All agent actions must be logged and attributable\nAccess controls: Agent service accounts need same rigor as human accounts\nModel governance: Document which models process customer data\nPrompt injection defense: Part of CC7 (system operations) controls\nOutput validation: Processing integrity controls for agent outputs\nIndustry-Specific Requirements\nIndustry\tExtra Criteria\tKey Controls\nFintech\tAll 5 TSC typical\tSOX mapping, encryption everywhere, PCI if payments\nHealthcare\tPrivacy, Confidentiality\tHIPAA crosswalk, BAAs, PHI handling\nSaaS\tAvailability, Confidentiality\tMulti-tenant isolation, SLA compliance\nLegal\tConfidentiality, Privacy\tPrivilege protection, matter isolation\nConstruction\tSecurity, Availability\tField data protection, offline capability\nE-commerce\tAll 5 TSC typical\tPCI DSS alignment, transaction integrity\n7 SOC 2 Mistakes That Cost Companies 6+ Months\nStarting with Type II — Get Type I first, prove controls work, then observe\nScoping too broadly — Only include systems that touch customer data\nChoosing the wrong auditor — Pick one who knows your industry\nManual evidence collection — Automate from day 1 or drown in spreadsheets\nTreating it as a project, not a program — SOC 2 is continuous\nIgnoring subservice organizations — Your cloud provider's SOC 2 matters\nNo executive sponsor — Compliance without budget authority = failure\nGet the Full Implementation Package\n\nThis skill gives you the framework. For industry-specific compliance playbooks with regulatory crosswalks, cost models, and vendor selection guides:\n\n🔗 AfrexAI Context Packs — $47 per industry vertical\n\nAvailable packs: Fintech, Healthcare, Legal, Construction, E-commerce, SaaS, Real Estate, Recruitment, Manufacturing, Professional Services\n\n🔗 AI Revenue Leak Calculator — Find where compliance gaps cost you money\n\n🔗 Agent Setup Wizard — Deploy compliance monitoring agents in minutes\n\nBundle pricing:\n\nPick 3 packs: $97\nAll 10 packs: $197\nEverything bundle: $247" }, "trust": { "sourceLabel": "tencent", "provenanceUrl": "https://clawhub.ai/1kalin/afrexai-soc2-compliance", "publisherUrl": "https://clawhub.ai/1kalin/afrexai-soc2-compliance", "owner": "1kalin", "version": "1.0.0", "license": null, "verificationStatus": "Indexed source record" }, "links": { "detailUrl": "https://openagent3.xyz/skills/afrexai-soc2-compliance", "downloadUrl": "https://openagent3.xyz/downloads/afrexai-soc2-compliance", "agentUrl": "https://openagent3.xyz/skills/afrexai-soc2-compliance/agent", "manifestUrl": "https://openagent3.xyz/skills/afrexai-soc2-compliance/agent.json", "briefUrl": "https://openagent3.xyz/skills/afrexai-soc2-compliance/agent.md" } }