🎁 Get the FREE AI Skills Starter GuideSubscribe →
BytesAgainBytesAgain
🦀 ClawHub

agent-bom compliance

by @msaad00

AI compliance and policy engine — evaluate scan results against OWASP, NIST, SOC 2, ISO 27001, CMMC, EU AI Act, AISVS v1.0, and related frameworks. Generate...

Versionv0.88.5
Downloads1,813
Installs2
TERMINAL
clawhub install agent-bom-compliance

📖 About This Skill


name: agent-bom-compliance description: >- AI compliance and policy engine — evaluate scan results against OWASP, NIST, SOC 2, ISO 27001, CMMC, EU AI Act, AISVS v1.0, and related frameworks. Generate SBOMs and compliance reports. Use when: "compliance report", "NIST", "SOC 2", "ISO 27001", "OWASP", "EU AI Act", "AISVS", "generate SBOM", "policy check". version: 0.86.1 license: Apache-2.0 compatibility: >- Requires Python 3.11+. Install via pipx or pip. OWASP/NIST/EU AI Act/MITRE evaluation and SBOM generation are fully local with zero credentials. CIS benchmark checks optionally use cloud SDK credentials (AWS/Azure/GCP/Snowflake) and make read-only API calls to cloud providers when explicitly invoked. metadata: author: msaad00 homepage: https://github.com/msaad00/agent-bom source: https://github.com/msaad00/agent-bom pypi: https://pypi.org/project/agent-bom/ scorecard: https://securityscorecards.dev/viewer/?uri=github.com/msaad00/agent-bom tests: 7239 install: pipx: agent-bom pip: agent-bom docker: ghcr.io/msaad00/agent-bom:0.86.1 openclaw: requires: bins: [] env: [] credentials: none credential_policy: "Zero credentials required for OWASP/NIST/EU AI Act compliance and SBOM generation. CIS benchmark checks (AWS, Azure, GCP, Snowflake) optionally accept cloud credentials — only used locally to call cloud APIs, never transmitted elsewhere." credential_handling: "Use only operator-configured cloud SDK credentials for explicitly requested CIS checks. Do not ask users to paste secrets, and never print cloud tokens, private keys, passwords, or connection strings." optional_env: - name: AWS_PROFILE purpose: "AWS CIS benchmark checks — uses boto3 with your local AWS profile" required: false - name: AZURE_TENANT_ID purpose: "Azure CIS benchmark checks (azure-mgmt-* SDK)" required: false - name: AZURE_CLIENT_ID purpose: "Azure CIS benchmark checks — service principal client ID" required: false - name: AZURE_CLIENT_SECRET purpose: "Azure CIS benchmark checks — service principal secret" required: false - name: GOOGLE_APPLICATION_CREDENTIALS purpose: "GCP CIS benchmark checks (google-cloud-* SDK)" required: false - name: SNOWFLAKE_ACCOUNT purpose: "Snowflake CIS benchmark checks" required: false - name: SNOWFLAKE_USER purpose: "Snowflake CIS benchmark checks" required: false - name: SNOWFLAKE_PRIVATE_KEY_PATH purpose: "Snowflake key-pair auth (CI/CD)" required: false - name: SNOWFLAKE_AUTHENTICATOR purpose: "Snowflake auth method (default: externalbrowser SSO)" required: false optional_bins: [] emoji: "\U00002705" homepage: https://github.com/msaad00/agent-bom source: https://github.com/msaad00/agent-bom license: Apache-2.0 os: - darwin - linux - windows data_flow: >- OWASP/NIST/EU AI Act/MITRE/SBOM evaluation is purely local — zero network calls. CIS benchmark checks (optional, user-initiated) call cloud provider APIs (AWS/Azure/GCP/Snowflake) using locally configured credentials. No data is stored or transmitted beyond the cloud provider's own API. File reads are limited to user-provided SBOMs and policy files. file_reads: - "user-provided SBOM files (CycloneDX/SPDX JSON)" - "user-provided policy files (YAML/JSON policy-as-code)" file_writes: [] network_endpoints: - url: "https://*.amazonaws.com" purpose: "AWS CIS benchmark checks — read-only API calls (IAM, S3, CloudTrail, etc.)" auth: true optional: true - url: "https://management.azure.com" purpose: "Azure CIS benchmark checks — read-only API calls (Azure Resource Manager)" auth: true optional: true - url: "https://*.googleapis.com" purpose: "GCP CIS benchmark checks — read-only API calls (Cloud Resource Manager, IAM, etc.)" auth: true optional: true - url: "https://*.snowflakecomputing.com" purpose: "Snowflake CIS benchmark checks — read-only API calls (ACCOUNT_USAGE views)" auth: true optional: true telemetry: false persistence: false privilege_escalation: false always: false autonomous_invocation: restricted

agent-bom-compliance — AI Compliance & Policy Engine

Evaluate AI infrastructure scan results against 14 security and regulatory frameworks. Enforce policy-as-code rules. Generate SBOMs in standard formats. Run AISVS v1.0 and CIS benchmark checks.

Install

pipx install agent-bom
agent-bom agents --compliance --compliance-export nist-ai-rmf
agent-bom agents -f cyclonedx -o sbom.json

When to Use

  • "compliance report" / "run compliance"
  • "NIST" / "NIST AI RMF" / "NIST CSF" / "NIST 800-53"
  • "SOC 2" / "SOC2"
  • "ISO 27001"
  • "OWASP" / "OWASP LLM Top 10" / "OWASP Agentic Top 10"
  • "EU AI Act"
  • "AISVS" / "AI Security Verification Standard"
  • "CMMC" / "FedRAMP"
  • "generate SBOM" / "CycloneDX" / "SPDX"
  • "policy check" / "policy enforcement"
  • Tools (5)

    | Tool | Description | |------|-------------| | compliance | OWASP LLM/Agentic Top 10, EU AI Act, MITRE ATLAS, NIST AI RMF | | policy_check | Evaluate results against custom security policy (17 conditions) | | cis_benchmark | Run CIS benchmark checks against cloud accounts | | generate_sbom | Generate SBOM (CycloneDX or SPDX format) | | aisvs_benchmark | OWASP AISVS v1.0 compliance — 9 AI security checks |

    Supported Frameworks (15)

  • OWASP LLM Top 10 (2025) — prompt injection, supply chain, data leakage
  • OWASP MCP Top 10 — MCP-specific security risks
  • OWASP Agentic Top 10 — tool poisoning, rug pulls, credential theft
  • MITRE ATLAS — adversarial ML threat framework
  • MITRE ATT&CK Enterprise — adversary techniques tagged via CWE → CAPEC → ATT&CK on every blast-radius finding
  • NIST AI RMF — govern, map, measure, manage lifecycle
  • NIST CSF 2.0 — identify, protect, detect, respond, recover
  • NIST 800-53 Rev 5 — federal security controls (CM-8, RA-5, SI-2, SR-3)
  • FedRAMP Moderate — derived from NIST 800-53 controls
  • EU AI Act — risk classification, transparency, SBOM requirements
  • ISO 27001:2022 — information security controls (Annex A)
  • SOC 2 — Trust Services Criteria
  • CIS Controls v8 — implementation groups IG1/IG2/IG3
  • CMMC 2.0 — cybersecurity maturity model (Level 1-3)
  • PCI DSS v4.0 — payment-card data security requirements
  • OWASP AISVS v1.0 ships as a benchmark surface alongside the tag-mapped frameworks (9 verification checks).

    Examples

    # Run compliance check against multiple frameworks
    compliance(frameworks=["owasp_llm", "eu_ai_act", "nist_ai_rmf"])

    Enforce custom policy

    policy_check(policy={"max_critical": 0, "max_high": 5})

    Generate SBOM

    generate_sbom(format="cyclonedx")

    Run AISVS v1.0 compliance

    aisvs_benchmark()

    Run AWS CIS benchmark

    cis_benchmark(provider="aws")

    Privacy & Data Handling

    **OWASP, NIST, EU AI Act, MITRE ATLAS, AISVS, SBOM generation, and policy checks** run entirely locally on scan data already in memory. No network calls, no credentials needed for these features.

    CIS benchmark checks (optional, user-initiated) call cloud provider APIs using your locally configured credentials. These are read-only API calls to AWS, Azure, GCP, or Snowflake. You must explicitly run cis_benchmark(provider=...) and confirm before any cloud API calls are made.

    Verification

  • Source: github.com/msaad00/agent-bom (Apache-2.0)
  • 7,100+ tests with CodeQL + OpenSSF Scorecard
  • No telemetry: Zero tracking, zero analytics
  • ⚡ When to Use

    TriggerAction
    - "NIST" / "NIST AI RMF" / "NIST CSF" / "NIST 800-53"
    - "SOC 2" / "SOC2"
    - "ISO 27001"
    - "OWASP" / "OWASP LLM Top 10" / "OWASP Agentic Top 10"
    - "EU AI Act"
    - "AISVS" / "AI Security Verification Standard"
    - "CMMC" / "FedRAMP"
    - "generate SBOM" / "CycloneDX" / "SPDX"
    - "policy check" / "policy enforcement"

    💡 Examples

    # Run compliance check against multiple frameworks
    compliance(frameworks=["owasp_llm", "eu_ai_act", "nist_ai_rmf"])

    Enforce custom policy

    policy_check(policy={"max_critical": 0, "max_high": 5})

    Generate SBOM

    generate_sbom(format="cyclonedx")

    Run AISVS v1.0 compliance

    aisvs_benchmark()

    Run AWS CIS benchmark

    cis_benchmark(provider="aws")