{ "schemaVersion": "1.0", "item": { "slug": "auditclaw-gcp", "name": "AuditClaw Gcp", "source": "tencent", "type": "skill", "category": "安全合规", "sourceUrl": "https://clawhub.ai/mailnike/auditclaw-gcp", "canonicalUrl": "https://clawhub.ai/mailnike/auditclaw-gcp", "targetPlatform": "OpenClaw" }, "install": { "downloadMode": "redirect", "downloadUrl": "/downloads/auditclaw-gcp", "sourceDownloadUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=auditclaw-gcp", "sourcePlatform": "tencent", "targetPlatform": "OpenClaw", "installMethod": "Manual import", "extraction": "Extract archive", "prerequisites": [ "OpenClaw" ], "packageFormat": "ZIP package", "includedAssets": [ "README.md", "scripts/requirements.txt", "scripts/checks/cloudsql.py", "scripts/checks/dns.py", "scripts/checks/iam.py", "scripts/checks/firewall.py" ], "primaryDoc": "SKILL.md", "quickSetup": [ "Download the package from Yavira.", "Extract the archive and review SKILL.md first.", "Import or place the package into your OpenClaw setup." ], "agentAssist": { "summary": "Hand the extracted package to your coding agent with a concrete install brief instead of figuring it out manually.", "steps": [ "Download the package from Yavira.", "Extract it into a folder your agent can access.", "Paste one of the prompts below and point your agent at the extracted folder." ], "prompts": [ { "label": "New install", "body": "I downloaded a skill package from Yavira. Read SKILL.md from the extracted folder and install it by following the included instructions. Then review README.md for any prerequisites, environment setup, or post-install checks. Tell me what you changed and call out any manual steps you could not complete." }, { "label": "Upgrade existing", "body": "I downloaded an updated skill package from Yavira. Read SKILL.md from the extracted folder, compare it with my current installation, and upgrade it while preserving any custom configuration unless the package docs explicitly say otherwise. Then review README.md for any prerequisites, environment setup, or post-install checks. Summarize what changed and any follow-up checks I should run." } ] }, "sourceHealth": { "source": "tencent", "status": "healthy", "reason": "direct_download_ok", "recommendedAction": "download", "checkedAt": "2026-04-23T16:43:11.935Z", "expiresAt": "2026-04-30T16:43:11.935Z", "httpStatus": 200, "finalUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=4claw-imageboard", "contentType": "application/zip", "probeMethod": "head", "details": { "probeUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=4claw-imageboard", "contentDisposition": "attachment; filename=\"4claw-imageboard-1.0.1.zip\"", "redirectLocation": null, "bodySnippet": null }, "scope": "source", "summary": "Source download looks usable.", "detail": "Yavira can redirect you to the upstream package for this source.", "primaryActionLabel": "Download for OpenClaw", "primaryActionHref": "/downloads/auditclaw-gcp" }, "validation": { "installChecklist": [ "Use the Yavira download entry.", "Review SKILL.md after the package is downloaded.", "Confirm the extracted package contains the expected setup assets." ], "postInstallChecks": [ "Confirm the extracted package includes the expected docs or setup files.", "Validate the skill or prompts are available in your target agent workspace.", "Capture any manual follow-up steps the agent could not complete." ] }, "downloadPageUrl": "https://openagent3.xyz/downloads/auditclaw-gcp", "agentPageUrl": "https://openagent3.xyz/skills/auditclaw-gcp/agent", "manifestUrl": "https://openagent3.xyz/skills/auditclaw-gcp/agent.json", "briefUrl": "https://openagent3.xyz/skills/auditclaw-gcp/agent.md" }, "agentAssist": { "summary": "Hand the extracted package to your coding agent with a concrete install brief instead of figuring it out manually.", "steps": [ "Download the package from Yavira.", "Extract it into a folder your agent can access.", "Paste one of the prompts below and point your agent at the extracted folder." ], "prompts": [ { "label": "New install", "body": "I downloaded a skill package from Yavira. Read SKILL.md from the extracted folder and install it by following the included instructions. Then review README.md for any prerequisites, environment setup, or post-install checks. Tell me what you changed and call out any manual steps you could not complete." }, { "label": "Upgrade existing", "body": "I downloaded an updated skill package from Yavira. Read SKILL.md from the extracted folder, compare it with my current installation, and upgrade it while preserving any custom configuration unless the package docs explicitly say otherwise. Then review README.md for any prerequisites, environment setup, or post-install checks. Summarize what changed and any follow-up checks I should run." } ] }, "documentation": { "source": "clawhub", "primaryDoc": "SKILL.md", "sections": [ { "title": "AuditClaw GCP", "body": "Companion skill for auditclaw-grc. Collects compliance evidence from Google Cloud Platform projects using read-only API calls.\n\n12 checks | Viewer + Security Reviewer roles only | Evidence stored in shared GRC database" }, { "title": "Security Model", "body": "Read-only access: Requires 6 read-only IAM roles (Viewer, Security Reviewer, Cloud SQL Viewer, Logging Viewer, DNS Reader, Cloud KMS Viewer). No write/modify permissions.\nCredentials: Uses standard GCP credential chain (GOOGLE_APPLICATION_CREDENTIALS or gcloud auth). No credentials stored by this skill.\nDependencies: Google Cloud SDK packages (all pinned in requirements.txt)\nData flow: Check results stored as evidence in ~/.openclaw/grc/compliance.sqlite via auditclaw-grc" }, { "title": "Prerequisites", "body": "GCP credentials configured (gcloud auth application-default login or service account JSON)\nGCP_PROJECT_ID environment variable set\npip install -r scripts/requirements.txt\nauditclaw-grc skill installed and initialized" }, { "title": "Commands", "body": "\"Run GCP evidence sweep\": Run all checks, store results in GRC database\n\"Check GCP storage compliance\": Run Cloud Storage checks\n\"Check GCP firewall rules\": Run firewall ingress checks\n\"Check GCP IAM compliance\": Run IAM service account checks\n\"Check GCP logging status\": Verify audit logging configuration\n\"Check GCP KMS keys\": Review KMS key rotation\n\"Show GCP integration health\": Last sync, errors, evidence count" }, { "title": "Usage", "body": "All evidence is stored in the shared GRC database at ~/.openclaw/grc/compliance.sqlite\nvia the auditclaw-grc skill's db_query.py script.\n\nTo run a full evidence sweep:\n\npython3 scripts/gcp_evidence.py --db-path ~/.openclaw/grc/compliance.sqlite --all\n\nTo run specific checks:\n\npython3 scripts/gcp_evidence.py --db-path ~/.openclaw/grc/compliance.sqlite --checks storage,firewall,iam" }, { "title": "Check Categories (9 files, 12 findings)", "body": "CheckWhat It VerifiesstorageUniform bucket-level access, public access preventionfirewallNo unrestricted ingress (0.0.0.0/0) to SSH/RDP/alliamService account key rotation (90 days), SA admin privilege restrictionloggingAudit logging enabled (all services), log export sink existskmsKMS key rotation period <= 90 daysdnsDNSSEC enabled on public zonesbigqueryNo public dataset access (allUsers/allAuthenticatedUsers)computeNo default service account with cloud-platform scopecloudsqlSSL enforcement, no public IP with 0.0.0.0/0" }, { "title": "Evidence Storage", "body": "Each check produces evidence items stored with:\n\nsource: \"gcp\"\ntype: \"automated\"\ncontrol_id: Mapped to relevant SOC2/ISO/HIPAA controls\ndescription: Human-readable finding summary\nfile_content: JSON details of the check result" }, { "title": "Required IAM Roles", "body": "roles/viewer\nroles/iam.securityReviewer\nroles/cloudsql.viewer\nroles/logging.viewer\nroles/dns.reader\nroles/cloudkms.viewer\n\nAll checks use read-only access only." }, { "title": "Setup Guide", "body": "When a user asks to set up GCP integration, guide them through these steps:" }, { "title": "Step 1: Create Service Account", "body": "gcloud iam service-accounts create auditclaw-scanner --display-name=\"AuditClaw Scanner\"" }, { "title": "Step 2: Grant IAM Roles", "body": "Grant these 6 read-only roles:\n\nfor role in roles/viewer roles/iam.securityReviewer roles/cloudsql.viewer roles/logging.viewer roles/dns.reader roles/cloudkms.viewer; do\n gcloud projects add-iam-policy-binding PROJECT_ID \\\n --member=serviceAccount:auditclaw-scanner@PROJECT_ID.iam.gserviceaccount.com \\\n --role=$role\ndone" }, { "title": "Step 3: Generate JSON Key", "body": "gcloud iam service-accounts keys create key.json --iam-account=auditclaw-scanner@PROJECT_ID.iam.gserviceaccount.com" }, { "title": "Step 4: Configure Credentials", "body": "Set environment variables:\n\nGOOGLE_APPLICATION_CREDENTIALS=/path/to/key.json\nGCP_PROJECT_ID=your-project-id" }, { "title": "Step 5: Verify Connection", "body": "Run: python3 {baseDir}/scripts/gcp_evidence.py --test-connection\n\nThe exact roles are documented in scripts/gcp-roles.json. Show with:\npython3 {baseDir}/../auditclaw-grc/scripts/db_query.py --action show-policy --provider gcp" } ], "body": "AuditClaw GCP\n\nCompanion skill for auditclaw-grc. Collects compliance evidence from Google Cloud Platform projects using read-only API calls.\n\n12 checks | Viewer + Security Reviewer roles only | Evidence stored in shared GRC database\n\nSecurity Model\nRead-only access: Requires 6 read-only IAM roles (Viewer, Security Reviewer, Cloud SQL Viewer, Logging Viewer, DNS Reader, Cloud KMS Viewer). No write/modify permissions.\nCredentials: Uses standard GCP credential chain (GOOGLE_APPLICATION_CREDENTIALS or gcloud auth). No credentials stored by this skill.\nDependencies: Google Cloud SDK packages (all pinned in requirements.txt)\nData flow: Check results stored as evidence in ~/.openclaw/grc/compliance.sqlite via auditclaw-grc\nPrerequisites\nGCP credentials configured (gcloud auth application-default login or service account JSON)\nGCP_PROJECT_ID environment variable set\npip install -r scripts/requirements.txt\nauditclaw-grc skill installed and initialized\nCommands\n\"Run GCP evidence sweep\": Run all checks, store results in GRC database\n\"Check GCP storage compliance\": Run Cloud Storage checks\n\"Check GCP firewall rules\": Run firewall ingress checks\n\"Check GCP IAM compliance\": Run IAM service account checks\n\"Check GCP logging status\": Verify audit logging configuration\n\"Check GCP KMS keys\": Review KMS key rotation\n\"Show GCP integration health\": Last sync, errors, evidence count\nUsage\n\nAll evidence is stored in the shared GRC database at ~/.openclaw/grc/compliance.sqlite via the auditclaw-grc skill's db_query.py script.\n\nTo run a full evidence sweep:\n\npython3 scripts/gcp_evidence.py --db-path ~/.openclaw/grc/compliance.sqlite --all\n\n\nTo run specific checks:\n\npython3 scripts/gcp_evidence.py --db-path ~/.openclaw/grc/compliance.sqlite --checks storage,firewall,iam\n\nCheck Categories (9 files, 12 findings)\nCheck\tWhat It Verifies\nstorage\tUniform bucket-level access, public access prevention\nfirewall\tNo unrestricted ingress (0.0.0.0/0) to SSH/RDP/all\niam\tService account key rotation (90 days), SA admin privilege restriction\nlogging\tAudit logging enabled (all services), log export sink exists\nkms\tKMS key rotation period <= 90 days\ndns\tDNSSEC enabled on public zones\nbigquery\tNo public dataset access (allUsers/allAuthenticatedUsers)\ncompute\tNo default service account with cloud-platform scope\ncloudsql\tSSL enforcement, no public IP with 0.0.0.0/0\nEvidence Storage\n\nEach check produces evidence items stored with:\n\nsource: \"gcp\"\ntype: \"automated\"\ncontrol_id: Mapped to relevant SOC2/ISO/HIPAA controls\ndescription: Human-readable finding summary\nfile_content: JSON details of the check result\nRequired IAM Roles\nroles/viewer\nroles/iam.securityReviewer\nroles/cloudsql.viewer\nroles/logging.viewer\nroles/dns.reader\nroles/cloudkms.viewer\n\nAll checks use read-only access only.\n\nSetup Guide\n\nWhen a user asks to set up GCP integration, guide them through these steps:\n\nStep 1: Create Service Account\ngcloud iam service-accounts create auditclaw-scanner --display-name=\"AuditClaw Scanner\"\n\nStep 2: Grant IAM Roles\n\nGrant these 6 read-only roles:\n\nfor role in roles/viewer roles/iam.securityReviewer roles/cloudsql.viewer roles/logging.viewer roles/dns.reader roles/cloudkms.viewer; do\n gcloud projects add-iam-policy-binding PROJECT_ID \\\n --member=serviceAccount:auditclaw-scanner@PROJECT_ID.iam.gserviceaccount.com \\\n --role=$role\ndone\n\nStep 3: Generate JSON Key\ngcloud iam service-accounts keys create key.json --iam-account=auditclaw-scanner@PROJECT_ID.iam.gserviceaccount.com\n\nStep 4: Configure Credentials\n\nSet environment variables:\n\nGOOGLE_APPLICATION_CREDENTIALS=/path/to/key.json\nGCP_PROJECT_ID=your-project-id\nStep 5: Verify Connection\n\nRun: python3 {baseDir}/scripts/gcp_evidence.py --test-connection\n\nThe exact roles are documented in scripts/gcp-roles.json. Show with: python3 {baseDir}/../auditclaw-grc/scripts/db_query.py --action show-policy --provider gcp" }, "trust": { "sourceLabel": "tencent", "provenanceUrl": "https://clawhub.ai/mailnike/auditclaw-gcp", "publisherUrl": "https://clawhub.ai/mailnike/auditclaw-gcp", "owner": "mailnike", "version": "1.0.2", "license": null, "verificationStatus": "Indexed source record" }, "links": { "detailUrl": "https://openagent3.xyz/skills/auditclaw-gcp", "downloadUrl": "https://openagent3.xyz/downloads/auditclaw-gcp", "agentUrl": "https://openagent3.xyz/skills/auditclaw-gcp/agent", "manifestUrl": "https://openagent3.xyz/skills/auditclaw-gcp/agent.json", "briefUrl": "https://openagent3.xyz/skills/auditclaw-gcp/agent.md" } }