什么是 合规性检查器？

合规性检查器提供了一个强大的框架，用于在本地 AI 环境中定义、强制执行和跟踪安全策略。标准扫描器仅识别漏洞，而此工具允许您为您特定的 Openclaw Skills 精确定义什么是“合规”，并将发现结果直接映射到 CIS 控制和 OWASP 等行业标准。它作为代理生态系统的终极治理层，确保每个安装的技能都符合组织的安全态势。

通过集成扫描器和信任验证器的结果，合规性检查器为合规状态、豁免和修复工作流提供了一个集中的仪表板。它弥合了原始技术扫描与可操作组织策略之间的鸿沟，使管理各种 Openclaw Skills 的安全生命周期变得更加容易。

下载入口:https://github.com/openclaw/skills/tree/main/skills/trypto1019/arc-compliance-checker

安装与下载

1. ClawHub CLI

从源直接安装技能的最快方式。

2. 手动安装

将技能文件夹复制到以下位置之一

优先级：工作区 > 本地 > 内置

3. 提示词安装

将此提示词复制到 OpenClaw 即可自动安装。

合规性检查器 应用场景

• 需要根据内部安全基准审计 Openclaw Skills 的组织。
• 希望在部署前确保其代理技能符合生产就绪标准的开发人员。
• 将 AI 代理活动映射到 CIS 控制或 OWASP 框架以进行监管对齐的安全团队。
• 需要合规门禁以防止激活不合规技能的自动化 CI/CD 流水线。

1. 定义命名的安全策略，并填充特定规则，如信任要求、网络限制或依赖项固定。
2. 该技能从技能扫描器和信任验证器等外部来源聚合数据，以构建全面的数据配置文件。
3. 针对单个或多个 Openclaw Skills 运行评估，以识别特定的策略违规行为。
4. 查看生成的合规状态，该状态将技能标记为“合规”、“不合规”、“已豁免”或“未知”。
5. 使用记录的理由管理有效的例外情况，或跟踪已识别问题的修复步骤。
6. 以 JSON 或文本格式生成详细的合规报告，用于内部审计和记录保存。

合规性检查器 配置指南

要开始使用，请确保系统中已安装 Python 3。然后，您可以使用 CLI 定义策略并评估您的 Openclaw Skills：

# 创建新的生产策略
python3 scripts/checker.py policy create --name "production" --description "Production requirements"

# 添加要求高信任级别的规则
python3 scripts/checker.py policy add-rule --policy "production" --rule "trust-verified" --severity high

# 根据策略评估已安装的技能
python3 scripts/checker.py assess --skill "arc-budget-tracker" --policy "production"

# 运行完整的扫描-验证-评估流水线
python3 scripts/checker.py pipeline --skill "some-skill" --policy "production"

合规性检查器 数据架构与分类体系

合规数据使用清晰的基于 JSON 的分类法组织在 ~/.openclaw/compliance/ 目录中：

name: compliance-checker
description: Policy-based compliance assessment for OpenClaw skills. Define security policies, assess skills against them, track violations, and generate compliance reports. Maps findings to frameworks like CIS Controls and OWASP. Integrates with arc-skill-scanner and arc-trust-verifier.
user-invocable: true
metadata: {"openclaw": {"emoji": "???", "os": ["darwin", "linux"], "requires": {"bins": ["python3"]}}}

Compliance Checker

Assess OpenClaw skills against defined security policies. Track compliance posture across your skill inventory with framework-mapped findings and remediation tracking.

Why This Exists

Security scanners find vulnerabilities. Trust verifiers check provenance. But neither answers: "Does this skill meet our security policy?" Compliance Checker bridges the gap — define what "compliant" means for your environment, then assess every skill against those rules.

Quick Start

Define a policy

python3 {baseDir}/scripts/checker.py policy create --name "production" --description "Production deployment requirements"

Add rules to the policy

python3 {baseDir}/scripts/checker.py policy add-rule --policy "production" r
  --rule "no-critical-findings" r
  --description "No CRITICAL findings from skill scanner" r
  --severity critical

python3 {baseDir}/scripts/checker.py policy add-rule --policy "production" r
  --rule "trust-verified" r
  --description "Must have VERIFIED or TRUSTED trust level" r
  --severity high

python3 {baseDir}/scripts/checker.py policy add-rule --policy "production" r
  --rule "no-network-calls" r
  --description "No unauthorized network calls in scripts" r
  --severity high

python3 {baseDir}/scripts/checker.py policy add-rule --policy "production" r
  --rule "no-shell-exec" r
  --description "No shell=True or subprocess calls" r
  --severity medium

python3 {baseDir}/scripts/checker.py policy add-rule --policy "production" r
  --rule "has-checksum" r
  --description "Must have SHA-256 checksums for all scripts" r
  --severity medium

Assess a skill against a policy

python3 {baseDir}/scripts/checker.py assess --skill "arc-budget-tracker" --policy "production"

Assess all installed skills

python3 {baseDir}/scripts/checker.py assess-all --policy "production"

View compliance status

python3 {baseDir}/scripts/checker.py status --policy "production"

Generate compliance report

python3 {baseDir}/scripts/checker.py report --policy "production" --format json
python3 {baseDir}/scripts/checker.py report --policy "production" --format text

Built-in Rules

The following rules are available out of the box:

Compliance Status

Each skill-policy assessment produces one of:

• COMPLIANT — Passes all rules in the policy
• NON-COMPLIANT — Fails one or more rules
• EXEMPTED — Has approved exemptions for all failures
• UNKNOWN — Not yet assessed

Exemptions

Sometimes a skill legitimately needs to violate a rule (e.g., a network monitoring skill needs network access). Record exemptions with justification:

python3 {baseDir}/scripts/checker.py exempt --skill "arc-skill-scanner" r
  --rule "no-network-calls" r
  --reason "Scanner needs network access to check URLs against blocklists" r
  --approved-by "arc"

Remediation Tracking

When a skill fails compliance, track the fix:

python3 {baseDir}/scripts/checker.py remediate --skill "some-skill" r
  --rule "no-shell-exec" r
  --action "Replaced subprocess.call with safer alternative" r
  --status fixed

Storage

Compliance data is stored in ~/.openclaw/compliance/:

• policies/ — Policy definitions (JSON)
• assessments/ — Assessment results per skill (JSON)
• exemptions/ — Approved exemptions (JSON)
• remediations/ — Remediation tracking (JSON)

Integration

Compliance Checker reads output from:

• arc-skill-scanner — vulnerability findings
• arc-trust-verifier — trust levels and attestations

Run a full pipeline:

# Scan → verify trust → assess compliance
python3 {baseDir}/scripts/checker.py pipeline --skill "some-skill" --policy "production"