GRC-Agent | SOC 2 Quality Review
by @mangopudding
Evaluate SOC 2 report quality using the SOC 2 Quality Guild rubric (Structure, Substance, Source). Use when reviewing a vendor SOC 2 Type 1/Type 2 report, tr...
clawhub install grc-agent-soc2-quality-reviewπ About This Skill
name: grc-agent-soc2-quality-review description: Evaluate SOC 2 report quality using the SOC 2 Quality Guild rubric (Structure, Substance, Source). Use when reviewing a vendor SOC 2 Type 1/Type 2 report, triaging report credibility, producing a risk memo, or preparing diligence follow-up questions and evidence requests.
SOC 2 Quality Review
Project Background & Acknowledgment
This skill was built using the SOC 2 Quality Guild resources at s2guild.org as a baseline for quality-focused SOC 2 vendor attestation reviews.
This project was the first GRC agent I wanated to try creating with OpenClaw after setting up across multiple environments, including Raspberry Pi, Intel NUC, several LXC containers, and a cluster setup of 3 Mac Studios using EXO.
Big thanks to the SOC 2 Quality Guild community for sharing excellent, practical guidance that helped shape this agent.
Maintainer
Review SOC 2 quality before trusting conclusions.
When NOT to use this skill
Do not use this skill for:
Workflow
1. Confirm review profile (audience, risk posture, strictness). 2. Confirm scope. 3. Score all 11 signals. 4. Run S12+ advanced diligence. 5. Summarize critical gaps. 6. Produce decision + follow-up requests.
Review profile (required)
Before scoring, capture these user-selectable settings:
Default to user-provided settings when available. If not provided, ask once before final verdict.
1) Confirm scope
Capture:
If key sections are missing, stop and request a full report.
2) Score all 11 signals
Read references/rubric.md and score each signal:
Use a strict standard for Section 4 testing detail and source credibility checks.
2b) Run S12+ advanced diligence questions
After S1βS11 scoring, run references/advanced-diligence.md and collect answers for the additional diligence set.
Rules:
Unknown and create a follow-up request.3) Flag hard fails
Treat these as high-severity findings by default:
If one or more hard fails exist, recommend compensating evidence even if the opinion is unqualified.
4) Produce outputs
Always return three artifacts.
A) Executive verdict (short)
references/confidence-rubric.md)B) Scorecard
List S1βS11 with:
references/evidence-citation-format.md)C) Follow-up request pack
Create a vendor-facing request list using references/vendor-request-templates.md:
Scoring guidance
Decision rubric
Use references/decision-matrix.md with the selected risk posture and evidence strictness.
Baseline outcomes:
Required response format
Use this exact section order: 1. Executive verdict 2. Signal-by-signal scorecard (S1βS11) 3. Advanced diligence (S12+) findings 4. Critical risks 5. Vendor follow-up questions 6. Interim compensating controls (what your org should do now)
For structure and quality calibration, mirror references/output-example.md.
Calibration rules
Apply thresholds using selected profile:
Apply evidence strictness setting: