Requirements
- Target platform
- OpenClaw
- Install method
- Manual import
- Extraction
- Extract archive
- Prerequisites
- OpenClaw
- Primary doc
- SKILL.md
Tencent SkillHub ยท Developer Tools
ISO 27001 Evidence Collection
Collect, organize, and validate evidence for ISO 27001 and SOC 2 audits. API-first approach with CLI commands for major cloud platforms. Produces timestamped...
skill openclawclawhub Free
Collect, organize, and validate evidence for ISO 27001 and SOC 2 audits. API-first approach with CLI commands for major cloud platforms. Produces timestamped...
โฌ 0 downloads โ
0 stars Unverified but indexed
Install for OpenClaw
Quick setup
- Download the package from Yavira.
- Extract the archive and review SKILL.md first.
- Import or place the package into your OpenClaw setup.
Package facts
- Download mode
- Yavira redirect
- Package format
- ZIP package
- Source platform
- Tencent SkillHub
- What's included
- CONNECTORS.md, SKILL.md, rules/api-exports.md, rules/evidence-types.md, rules/screenshot-guide.md
Validation
- Use the Yavira download entry.
- Review SKILL.md after the package is downloaded.
- Confirm the extracted package contains the expected setup assets.
Install with your agent
Agent handoff
Hand the extracted package to your coding agent with a concrete install brief instead of figuring it out manually.
- Download the package from Yavira.
- Extract it into a folder your agent can access.
- Paste one of the prompts below and point your agent at the extracted folder.
New install
I downloaded a skill package from Yavira. Read SKILL.md from the extracted folder and install it by following the included instructions. Tell me what you changed and call out any manual steps you could not complete.
Upgrade existing
I downloaded an updated skill package from Yavira. Read SKILL.md from the extracted folder, compare it with my current installation, and upgrade it while preserving any custom configuration unless the package docs explicitly say otherwise. Summarize what changed and any follow-up checks I should run.
Trust & source
Release facts
- Source
- Tencent SkillHub
- Verification
- Indexed source record
- Version
- 0.1.0
Provenance
- Publisher
- stevenobiajulu
- Source page
- View original listing
- Canonical URL
- Open canonical page
Documentation
ISO 27001 Evidence Collection
Systematically collect audit evidence for ISO 27001:2022 and SOC 2. This skill provides API-first evidence collection commands, organizes evidence by control, and validates completeness before auditor review.
Security Model
No scripts executed โ this skill is markdown-only procedural guidance No secrets required โ works with reference checklists; CLI commands use existing local credentials Evidence stays local โ all outputs go to the local filesystem IP-clean โ references NIST SP 800-53 (public domain); ISO controls cited by section ID only
When to Use
Activate this skill when: Preparing evidence package for external audit โ 2-4 weeks before auditor arrives Quarterly evidence refresh โ update evidence that has aged beyond the audit window After remediation โ collect evidence proving a finding has been fixed New system onboarding โ establish baseline evidence for a newly in-scope system Evidence gap analysis โ identify what's missing before the audit Do NOT use for: Running the internal audit itself โ use iso-27001-internal-audit SOC 2-only readiness assessment โ use soc2-readiness Interpreting audit findings โ use the internal audit skill
Evidence Hierarchy (Best to Worst)
RankTypeExampleWhy Better1API export (JSON/CSV)gcloud iam service-accounts list --format=jsonTimestamped, tamper-evident, reproducible2System-generated reportSOC 2 report from vendor, SIEM exportAuthoritative source, includes metadata3Configuration exportTerraform state, policy JSONShows intended state, version-controlled4Screenshot with system clockscreencapture -x ~/evidence/...Visual proof, but harder to validate5Manual attestationSigned statement by responsible personLast resort, requires corroboration
Evidence Freshness Requirements
Evidence TypeMax AgeRefresh CadenceAccess lists90 daysQuarterlyVulnerability scans30 daysMonthlyConfiguration exports90 daysQuarterlyTraining records12 monthsAnnualPenetration test12 monthsAnnualPolicy documents12 monthsAnnual reviewIncident recordsAudit periodContinuousRisk assessment12 monthsAnnual + on change
Evidence Naming Convention
{control_id}_{evidence_type}_{YYYY-MM-DD}.{ext} Examples: A.5.15_user-access-list_2026-02-28.json A.8.8_vulnerability-scan_2026-02-28.csv A.8.13_backup-test-results_2026-02-28.pdf
Step 1: Identify Evidence Gaps
Determine what evidence is missing or stale. # If compliance MCP is available: list_evidence_gaps(framework="iso27001_2022", tier="critical") # If reading local compliance data: # Check compliance/evidence/*.md files for upload_status != "OK" # Check renewal_next dates for upcoming expirations
Step 2: Prioritize Collection
Order evidence collection by: Missing evidence for Critical-tier controls โ audit blockers Stale evidence past renewal date โ auditor will reject Evidence for Relevant-tier controls โ expected but not blocking Checkbox-tier evidence โ policies and attestations
Step 3: Collect by Platform
Run evidence collection commands grouped by platform to minimize context-switching. GitHub Evidence # Org settings: MFA requirement, default permissions gh api orgs/{org} | jq '{ two_factor_requirement_enabled, default_repository_permission, members_can_create_public_repositories }' > evidence/A.5.17_github-org-mfa_$(date +%Y-%m-%d).json # Branch protection on production repos for repo in $(gh repo list {org} --json name -q '.[].name'); do gh api repos/{org}/$repo/branches/main/protection 2>/dev/null | \ jq '{repo: "'$repo'", protection: .}' >> evidence/A.8.32_branch-protection_$(date +%Y-%m-%d).json done # Recent merged PRs (change management evidence) gh pr list --state merged --limit 50 --json number,title,author,reviewDecision,mergedAt,mergedBy \ > evidence/A.8.32_change-records_$(date +%Y-%m-%d).json # Dependabot alerts (vulnerability management) gh api repos/{org}/{repo}/dependabot/alerts?state=open \ > evidence/A.8.8_dependabot-alerts_$(date +%Y-%m-%d).json # Secret scanning alerts gh api orgs/{org}/secret-scanning/alerts --paginate \ > evidence/A.8.24_secret-scanning_$(date +%Y-%m-%d).json # Audit log gh api orgs/{org}/audit-log?per_page=100 \ > evidence/A.8.15_github-audit-log_$(date +%Y-%m-%d).json GCP Evidence # IAM policy (access control) gcloud projects get-iam-policy {project} --format=json \ > evidence/A.5.15_gcp-iam-policy_$(date +%Y-%m-%d).json # Service accounts gcloud iam service-accounts list --format=json \ > evidence/A.5.16_gcp-service-accounts_$(date +%Y-%m-%d).json # Audit logging config gcloud projects get-iam-policy {project} --format=json | jq '.auditConfigs' \ > evidence/A.8.15_gcp-audit-config_$(date +%Y-%m-%d).json # Log sinks (centralization) gcloud logging sinks list --format=json \ > evidence/A.8.15_gcp-log-sinks_$(date +%Y-%m-%d).json # Compute instances (asset inventory) gcloud compute instances list --format=json \ > evidence/A.5.9_gcp-compute-inventory_$(date +%Y-%m-%d).json # Cloud SQL backup config gcloud sql backups list --instance={instance} --format=json \ > evidence/A.8.13_gcp-sql-backups_$(date +%Y-%m-%d).json # Firewall rules gcloud compute firewall-rules list --format=json \ > evidence/A.8.20_gcp-firewall-rules_$(date +%Y-%m-%d).json Azure Evidence # Role assignments (access control) az role assignment list --all --output json \ > evidence/A.5.15_azure-role-assignments_$(date +%Y-%m-%d).json # Activity log (audit trail) az monitor activity-log list --max-events 100 --output json \ > evidence/A.8.15_azure-activity-log_$(date +%Y-%m-%d).json # Network security groups az network nsg list --output json \ > evidence/A.8.20_azure-nsgs_$(date +%Y-%m-%d).json # Backup jobs az backup job list --resource-group {rg} --vault-name {vault} --output json \ > evidence/A.8.13_azure-backup-jobs_$(date +%Y-%m-%d).json # Storage encryption az storage account list --query "[].{name:name, encryption:encryption}" --output json \ > evidence/A.8.24_azure-storage-encryption_$(date +%Y-%m-%d).json Google Workspace Evidence # User list with MFA status gam print users fields primaryEmail,name,isEnrolledIn2Sv,isEnforcedIn2Sv,lastLoginTime,suspended \ > evidence/A.5.17_workspace-users-mfa_$(date +%Y-%m-%d).csv # Admin roles gam print admins > evidence/A.8.2_workspace-admins_$(date +%Y-%m-%d).csv # Mobile devices gam print mobile > evidence/A.8.1_workspace-mobile-devices_$(date +%Y-%m-%d).csv macOS Endpoint Evidence # FileVault encryption fdesetup status > evidence/A.8.24_filevault-status_$(date +%Y-%m-%d).txt # System configuration system_profiler SPHardwareDataType SPSoftwareDataType \ > evidence/A.8.1_endpoint-config_$(date +%Y-%m-%d).txt # Screen lock settings profiles show -type configuration 2>/dev/null | grep -A10 -i "lock\|idle\|screensaver" \ > evidence/A.6.7_screenlock-config_$(date +%Y-%m-%d).txt
Step 4: Validate Evidence Package
Check completeness before submitting to auditor: Completeness: Do you have evidence for every applicable control in the SoA? Freshness: Is every piece of evidence within the required age? Format: Are API exports in JSON/CSV with timestamps? Screenshots have system clock visible? Naming: Files follow the naming convention? Coverage: Critical-tier controls have at least 2 forms of evidence? # If compliance MCP is available: list_evidence_gaps(framework="iso27001_2022") # Should return empty for complete package
Step 5: Generate Evidence Index
Create an index file listing all evidence, mapped to controls: # Evidence Package Index Generated: {date} Audit period: {start} to {end} | Control | Evidence File | Type | Collected | Status | |---------|--------------|------|-----------|--------| | A.5.15 | gcp-iam-policy_2026-02-28.json | API export | 2026-02-28 | Current | | A.5.17 | workspace-users-mfa_2026-02-28.csv | API export | 2026-02-28 | Current | | ... | ... | ... | ... | ... |
DO
Use API exports with ISO 8601 timestamps over screenshots whenever possible Collect evidence from the SOURCE system (IdP, not a secondary report) Include metadata: collection date, system version, user who collected Store evidence in version-controlled directory with clear naming Collect evidence for the AUDIT PERIOD (usually past 12 months), not just current state Use screencapture -x ~/evidence/{filename}.png for screenshots (captures without shadow/border)
DON'T
Take screenshots without visible system clock (menu bar on macOS, taskbar on Windows) Collect evidence from sandbox/staging instead of production Manually edit evidence after collection (auditors may verify against source) Wait until the week before the audit to collect everything Assume stale evidence is acceptable โ check freshness requirements above Mix evidence from different audit periods in the same file
Troubleshooting
ProblemSolutionAPI command requires authUse existing local credentials: gcloud auth login, az login, gh auth loginTool not installedInstall: brew install gh, brew install --cask google-cloud-sdk, brew install azure-cliInsufficient permissionsRequest read-only access to the relevant service; document the access request as evidenceEvidence too largeUse --limit or --max-events flags; collect summary statistics instead of full exportVendor won't provide SOC 2 reportRequest via their trust center; if unavailable, document the request and use their security pageScreenshot doesn't include clockOn macOS: use full-screen capture, or screencapture -x which includes menu bar
Rules
For detailed evidence collection guidance by topic: FileCoveragerules/api-exports.mdCLI commands by cloud provider (GCP, Azure, AWS, GitHub, Google Workspace)rules/screenshot-guide.mdWhen and how to take audit-ready screenshotsrules/evidence-types.mdEvidence type requirements per control domain
Attribution
Evidence collection procedures and control guidance developed with Internal ISO Audit (Hazel Castro, ISO 27001 Lead Auditor, 14+ years, 100+ audits).
Runtime Detection
Compliance MCP server available (best) โ Automated gap detection, evidence freshness tracking Local compliance data available (good) โ Reads evidence status from compliance/evidence/*.md Reference only (baseline) โ Uses embedded checklists and command reference
Category context
Code helpers, APIs, CLIs, browser automation, testing, and developer operations.
Source: Tencent SkillHub
Largest current source with strong distribution and engagement signals.
Package contents
Included in package
5 Docs
- SKILL.md
- CONNECTORS.md
- rules/api-exports.md
- rules/evidence-types.md
- rules/screenshot-guide.md