{ "schemaVersion": "1.0", "item": { "slug": "grc-agent-soc2-quality-review", "name": "GRC-Agent | SOC 2 Quality Review", "source": "tencent", "type": "skill", "category": "AI 智能", "sourceUrl": "https://clawhub.ai/mangopudding/grc-agent-soc2-quality-review", "canonicalUrl": "https://clawhub.ai/mangopudding/grc-agent-soc2-quality-review", "targetPlatform": "OpenClaw" }, "install": { "downloadMode": "redirect", "downloadUrl": "/downloads/grc-agent-soc2-quality-review", "sourceDownloadUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=grc-agent-soc2-quality-review", "sourcePlatform": "tencent", "targetPlatform": "OpenClaw", "installMethod": "Manual import", "extraction": "Extract archive", "prerequisites": [ "OpenClaw" ], "packageFormat": "ZIP package", "includedAssets": [ "SKILL.md", "references/vendor-request-templates.md", "references/decision-matrix.md", "references/confidence-rubric.md", "references/advanced-diligence.md", "references/evidence-citation-format.md" ], "primaryDoc": "SKILL.md", "quickSetup": [ "Download the package from Yavira.", "Extract the archive and review SKILL.md first.", "Import or place the package into your OpenClaw setup." ], "agentAssist": { "summary": "Hand the extracted package to your coding agent with a concrete install brief instead of figuring it out manually.", "steps": [ "Download the package from Yavira.", "Extract it into a folder your agent can access.", "Paste one of the prompts below and point your agent at the extracted folder." ], "prompts": [ { "label": "New install", "body": "I downloaded a skill package from Yavira. Read SKILL.md from the extracted folder and install it by following the included instructions. Tell me what you changed and call out any manual steps you could not complete." }, { "label": "Upgrade existing", "body": "I downloaded an updated skill package from Yavira. Read SKILL.md from the extracted folder, compare it with my current installation, and upgrade it while preserving any custom configuration unless the package docs explicitly say otherwise. Summarize what changed and any follow-up checks I should run." } ] }, "sourceHealth": { "source": "tencent", "status": "healthy", "reason": "direct_download_ok", "recommendedAction": "download", "checkedAt": "2026-04-30T16:55:25.780Z", "expiresAt": "2026-05-07T16:55:25.780Z", "httpStatus": 200, "finalUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=network", "contentType": "application/zip", "probeMethod": "head", "details": { "probeUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=network", "contentDisposition": "attachment; filename=\"network-1.0.0.zip\"", "redirectLocation": null, "bodySnippet": null }, "scope": "source", "summary": "Source download looks usable.", "detail": "Yavira can redirect you to the upstream package for this source.", "primaryActionLabel": "Download for OpenClaw", "primaryActionHref": "/downloads/grc-agent-soc2-quality-review" }, "validation": { "installChecklist": [ "Use the Yavira download entry.", "Review SKILL.md after the package is downloaded.", "Confirm the extracted package contains the expected setup assets." ], "postInstallChecks": [ "Confirm the extracted package includes the expected docs or setup files.", "Validate the skill or prompts are available in your target agent workspace.", "Capture any manual follow-up steps the agent could not complete." ] }, "downloadPageUrl": "https://openagent3.xyz/downloads/grc-agent-soc2-quality-review", "agentPageUrl": "https://openagent3.xyz/skills/grc-agent-soc2-quality-review/agent", "manifestUrl": "https://openagent3.xyz/skills/grc-agent-soc2-quality-review/agent.json", "briefUrl": "https://openagent3.xyz/skills/grc-agent-soc2-quality-review/agent.md" }, "agentAssist": { "summary": "Hand the extracted package to your coding agent with a concrete install brief instead of figuring it out manually.", "steps": [ "Download the package from Yavira.", "Extract it into a folder your agent can access.", "Paste one of the prompts below and point your agent at the extracted folder." ], "prompts": [ { "label": "New install", "body": "I downloaded a skill package from Yavira. Read SKILL.md from the extracted folder and install it by following the included instructions. Tell me what you changed and call out any manual steps you could not complete." }, { "label": "Upgrade existing", "body": "I downloaded an updated skill package from Yavira. Read SKILL.md from the extracted folder, compare it with my current installation, and upgrade it while preserving any custom configuration unless the package docs explicitly say otherwise. Summarize what changed and any follow-up checks I should run." } ] }, "documentation": { "source": "clawhub", "primaryDoc": "SKILL.md", "sections": [ { "title": "Project Background & Acknowledgment", "body": "This skill was built using the SOC 2 Quality Guild resources at s2guild.org as a baseline for quality-focused SOC 2 vendor attestation reviews.\n\nThis project was the first GRC agent I wanated to try creating with OpenClaw after setting up across multiple environments, including Raspberry Pi, Intel NUC, several LXC containers, and a cluster setup of 3 Mac Studios using EXO.\n\nBig thanks to the SOC 2 Quality Guild community for sharing excellent, practical guidance that helped shape this agent." }, { "title": "Maintainer", "body": "Author: Simon Tin-Yul Kok\nLinkedIn: https://www.linkedin.com/in/simonkok/\nGitHub: https://github.com/mangopudding/\n\nReview SOC 2 quality before trusting conclusions." }, { "title": "When NOT to use this skill", "body": "Do not use this skill for:\n\nLegal advice or legal conclusions about regulatory compliance.\nFormal certification decisions (this is a quality review aid, not an issuing authority).\nDeep technical penetration testing or exploit validation.\nHistorical incident forensics requiring endpoint/network-level evidence collection.\nVendor contract drafting as a substitute for legal/procurement review." }, { "title": "Workflow", "body": "Confirm review profile (audience, risk posture, strictness).\nConfirm scope.\nScore all 11 signals.\nRun S12+ advanced diligence.\nSummarize critical gaps.\nProduce decision + follow-up requests." }, { "title": "Review profile (required)", "body": "Before scoring, capture these user-selectable settings:\n\nPrimary audience: Security, Procurement, Customer Trust, or All\nRisk posture: Conservative / Balanced / Lenient\nData sensitivity baseline: High / Medium / Low\nEvidence strictness: Escalate on Unknown / Conditional acceptance with deadline / Case-by-case\nOutput style: Executive memo, Full analyst report, or Both\n\nDefault to user-provided settings when available. If not provided, ask once before final verdict." }, { "title": "1) Confirm scope", "body": "Capture:\n\nReport type: Type 1 or Type 2\nPeriod covered\nTrust Services Categories in scope\nIn-scope system boundary\nAuditor firm + signer\nQualification status (unqualified/qualified/adverse/disclaimer)\n\nIf key sections are missing, stop and request a full report." }, { "title": "2) Score all 11 signals", "body": "Read references/rubric.md and score each signal:\n\n2 = strong evidence\n1 = partial or ambiguous\n0 = missing, contradictory, or weak\n\nUse a strict standard for Section 4 testing detail and source credibility checks." }, { "title": "2b) Run S12+ advanced diligence questions", "body": "After S1–S11 scoring, run references/advanced-diligence.md and collect answers for the additional diligence set.\n\nRules:\n\nTreat S12+ as decision-strengthening checks, not replacements for S1–S11.\nIf an answer is unavailable, mark it explicitly as Unknown and create a follow-up request.\nElevate risk when multiple S12+ items remain unknown for high-sensitivity data use cases." }, { "title": "3) Flag hard fails", "body": "Treat these as high-severity findings by default:\n\nMissing required auditor report structure (S1)\nMissing/incomplete unsigned management assertion (S2)\nUnlicensed or unverified CPA firm (S8)\nPervasive testing vagueness on critical controls (S7)\n\nIf one or more hard fails exist, recommend compensating evidence even if the opinion is unqualified." }, { "title": "4) Produce outputs", "body": "Always return three artifacts." }, { "title": "A) Executive verdict (short)", "body": "Overall confidence: High / Medium / Low (use references/confidence-rubric.md)\nDecision: Accept / Accept with conditions / Escalate / Reject\nTop 3 reasons" }, { "title": "B) Scorecard", "body": "List S1–S11 with:\n\nScore (0/1/2)\nEvidence citation (use references/evidence-citation-format.md)\nWhy it matters\nFollow-up request (if score <2)" }, { "title": "C) Follow-up request pack", "body": "Create a vendor-facing request list using references/vendor-request-templates.md:\n\nDirect evidence needed\nClarifications required\nDeadline recommendation\nDecision gate (what must be resolved)" }, { "title": "Scoring guidance", "body": "Prioritize evidence quality over report polish.\nPenalize boilerplate language that could apply to any company.\nPenalize weak control-to-criteria logic.\nPenalize mismatch between exceptions and opinion severity.\nSeparate auditor credibility concerns from control design concerns." }, { "title": "Decision rubric", "body": "Use references/decision-matrix.md with the selected risk posture and evidence strictness.\n\nBaseline outcomes:\n\nAccept: no hard fails, most signals strong, no unresolved critical gaps.\nAccept with conditions: limited gaps, clear compensating evidence path.\nEscalate: mixed evidence, source credibility concerns, or unclear testing sufficiency.\nReject: fundamental structure/source failures or severe unresolved substance failures." }, { "title": "Required response format", "body": "Use this exact section order:\n\nExecutive verdict\nSignal-by-signal scorecard (S1–S11)\nAdvanced diligence (S12+) findings\nCritical risks\nVendor follow-up questions\nInterim compensating controls (what your org should do now)\n\nFor structure and quality calibration, mirror references/output-example.md." }, { "title": "Calibration rules", "body": "Apply thresholds using selected profile:\n\nHigh sensitivity (PII/PHI/financial, including candidate resume and employer/company data): require strong minimums on S4/S6/S7/S8 and tighter follow-up deadlines.\nMedium sensitivity: allow limited partials with compensating evidence.\nLow sensitivity: tolerate minor source/substance weaknesses with conditions.\n\nApply evidence strictness setting:\n\nEscalate on Unknown: unknowns on critical areas force Escalate.\nConditional acceptance with deadline: permit temporary acceptance only with explicit due dates and owners.\nCase-by-case: weigh unknowns by control criticality and data sensitivity." } ], "body": "SOC 2 Quality Review\nProject Background & Acknowledgment\n\nThis skill was built using the SOC 2 Quality Guild resources at s2guild.org as a baseline for quality-focused SOC 2 vendor attestation reviews.\n\nThis project was the first GRC agent I wanated to try creating with OpenClaw after setting up across multiple environments, including Raspberry Pi, Intel NUC, several LXC containers, and a cluster setup of 3 Mac Studios using EXO.\n\nBig thanks to the SOC 2 Quality Guild community for sharing excellent, practical guidance that helped shape this agent.\n\nMaintainer\nAuthor: Simon Tin-Yul Kok\nLinkedIn: https://www.linkedin.com/in/simonkok/\nGitHub: https://github.com/mangopudding/\n\nReview SOC 2 quality before trusting conclusions.\n\nWhen NOT to use this skill\n\nDo not use this skill for:\n\nLegal advice or legal conclusions about regulatory compliance.\nFormal certification decisions (this is a quality review aid, not an issuing authority).\nDeep technical penetration testing or exploit validation.\nHistorical incident forensics requiring endpoint/network-level evidence collection.\nVendor contract drafting as a substitute for legal/procurement review.\nWorkflow\nConfirm review profile (audience, risk posture, strictness).\nConfirm scope.\nScore all 11 signals.\nRun S12+ advanced diligence.\nSummarize critical gaps.\nProduce decision + follow-up requests.\nReview profile (required)\n\nBefore scoring, capture these user-selectable settings:\n\nPrimary audience: Security, Procurement, Customer Trust, or All\nRisk posture: Conservative / Balanced / Lenient\nData sensitivity baseline: High / Medium / Low\nEvidence strictness: Escalate on Unknown / Conditional acceptance with deadline / Case-by-case\nOutput style: Executive memo, Full analyst report, or Both\n\nDefault to user-provided settings when available. If not provided, ask once before final verdict.\n\n1) Confirm scope\n\nCapture:\n\nReport type: Type 1 or Type 2\nPeriod covered\nTrust Services Categories in scope\nIn-scope system boundary\nAuditor firm + signer\nQualification status (unqualified/qualified/adverse/disclaimer)\n\nIf key sections are missing, stop and request a full report.\n\n2) Score all 11 signals\n\nRead references/rubric.md and score each signal:\n\n2 = strong evidence\n1 = partial or ambiguous\n0 = missing, contradictory, or weak\n\nUse a strict standard for Section 4 testing detail and source credibility checks.\n\n2b) Run S12+ advanced diligence questions\n\nAfter S1–S11 scoring, run references/advanced-diligence.md and collect answers for the additional diligence set.\n\nRules:\n\nTreat S12+ as decision-strengthening checks, not replacements for S1–S11.\nIf an answer is unavailable, mark it explicitly as Unknown and create a follow-up request.\nElevate risk when multiple S12+ items remain unknown for high-sensitivity data use cases.\n3) Flag hard fails\n\nTreat these as high-severity findings by default:\n\nMissing required auditor report structure (S1)\nMissing/incomplete unsigned management assertion (S2)\nUnlicensed or unverified CPA firm (S8)\nPervasive testing vagueness on critical controls (S7)\n\nIf one or more hard fails exist, recommend compensating evidence even if the opinion is unqualified.\n\n4) Produce outputs\n\nAlways return three artifacts.\n\nA) Executive verdict (short)\nOverall confidence: High / Medium / Low (use references/confidence-rubric.md)\nDecision: Accept / Accept with conditions / Escalate / Reject\nTop 3 reasons\nB) Scorecard\n\nList S1–S11 with:\n\nScore (0/1/2)\nEvidence citation (use references/evidence-citation-format.md)\nWhy it matters\nFollow-up request (if score <2)\nC) Follow-up request pack\n\nCreate a vendor-facing request list using references/vendor-request-templates.md:\n\nDirect evidence needed\nClarifications required\nDeadline recommendation\nDecision gate (what must be resolved)\nScoring guidance\nPrioritize evidence quality over report polish.\nPenalize boilerplate language that could apply to any company.\nPenalize weak control-to-criteria logic.\nPenalize mismatch between exceptions and opinion severity.\nSeparate auditor credibility concerns from control design concerns.\nDecision rubric\n\nUse references/decision-matrix.md with the selected risk posture and evidence strictness.\n\nBaseline outcomes:\n\nAccept: no hard fails, most signals strong, no unresolved critical gaps.\nAccept with conditions: limited gaps, clear compensating evidence path.\nEscalate: mixed evidence, source credibility concerns, or unclear testing sufficiency.\nReject: fundamental structure/source failures or severe unresolved substance failures.\nRequired response format\n\nUse this exact section order:\n\nExecutive verdict\nSignal-by-signal scorecard (S1–S11)\nAdvanced diligence (S12+) findings\nCritical risks\nVendor follow-up questions\nInterim compensating controls (what your org should do now)\n\nFor structure and quality calibration, mirror references/output-example.md.\n\nCalibration rules\n\nApply thresholds using selected profile:\n\nHigh sensitivity (PII/PHI/financial, including candidate resume and employer/company data): require strong minimums on S4/S6/S7/S8 and tighter follow-up deadlines.\nMedium sensitivity: allow limited partials with compensating evidence.\nLow sensitivity: tolerate minor source/substance weaknesses with conditions.\n\nApply evidence strictness setting:\n\nEscalate on Unknown: unknowns on critical areas force Escalate.\nConditional acceptance with deadline: permit temporary acceptance only with explicit due dates and owners.\nCase-by-case: weigh unknowns by control criticality and data sensitivity." }, "trust": { "sourceLabel": "tencent", "provenanceUrl": "https://clawhub.ai/mangopudding/grc-agent-soc2-quality-review", "publisherUrl": "https://clawhub.ai/mangopudding/grc-agent-soc2-quality-review", "owner": "mangopudding", "version": "1.0.0", "license": null, "verificationStatus": "Indexed source record" }, "links": { "detailUrl": "https://openagent3.xyz/skills/grc-agent-soc2-quality-review", "downloadUrl": "https://openagent3.xyz/downloads/grc-agent-soc2-quality-review", "agentUrl": "https://openagent3.xyz/skills/grc-agent-soc2-quality-review/agent", "manifestUrl": "https://openagent3.xyz/skills/grc-agent-soc2-quality-review/agent.json", "briefUrl": "https://openagent3.xyz/skills/grc-agent-soc2-quality-review/agent.md" } }