azure-key-vault-auditor
Audit Azure Key Vault configuration, access policies, and secret hygiene for credential exposure risks
Install via CLI (Recommended)
clawhub install openclaw/skills/skills/anmolnagpal/key-vault-auditorWhat This Skill Does
The azure-key-vault-auditor is a specialized security diagnostic tool designed for OpenClaw. It acts as an expert consultant to analyze Azure Key Vault configurations, access policies, and secret management hygiene. The skill identifies critical vulnerabilities such as public network exposure, legacy access policies that lack granular control, and the absence of essential safety features like soft-delete and purge protection. By analyzing JSON exports from Azure CLI, the auditor highlights high-risk areas including over-privileged identities, near-expiry certificates, and stagnant secrets that haven't been rotated in over 90 days. It provides actionable remediation steps, including hardened Bicep templates and strategies to migrate service principals to managed identities, ensuring your infrastructure adheres to the principle of least privilege and zero-trust architecture.
Installation
To install the skill in your OpenClaw environment, use the following command:
clawhub install openclaw/skills/skills/anmolnagpal/key-vault-auditor
Use Cases
- Security Posture Assessment: Performing periodic audits of production Key Vaults to ensure compliance with enterprise security standards.
- Migration Projects: Auditing legacy Key Vaults before transitioning to Azure RBAC and private endpoints.
- Incident Response: Quickly identifying if a secret might have been exposed due to overly broad access policies or public accessibility.
- Operational Excellence: Maintaining a dashboard of expiring secrets and certificates to prevent service outages caused by expired credentials.
Example Prompts
- "Here is the JSON output from my
az keyvault showcommand for my production vault. Please audit the access policies and identify any over-privileged users." - "I have 50 secrets in my vault, and I'm worried about rotation. Analyze this
az keyvault secret listoutput and tell me which ones haven't been updated in 90+ days." - "My security team requires private network access. Based on my current
az keyvault listconfiguration, provide a Bicep template to restrict my vaults to specific virtual networks."
Tips & Limitations
- Security First: This skill is instruction-only. It does not execute commands. You must provide the data yourself, which keeps your Azure credentials safe within your own terminal/environment.
- Data Depth: The quality of the analysis is directly proportional to the data provided. Providing full access policy reports and network configuration files yields significantly better recommendations than a simple list.
- RBAC Transition: When using the generated Bicep templates, always test in a non-production environment first, as switching from legacy Access Policies to RBAC can impact existing application connections if not planned correctly.
Metadata
Not sure this is the right skill?
Describe what you want to build — we'll match you to the best skill from 16,000+ options.
Find the right skillPaste this into your clawhub.json to enable this plugin.
{
"plugins": {
"official-anmolnagpal-key-vault-auditor": {
"enabled": true,
"auto_update": true
}
}
}Tags(AI)
Related Skills
aws-compliance-analyzer
Map AWS environment against CIS, SOC 2, HIPAA, or PCI-DSS controls with prioritized remediation
aws-terraform-security-reviewer
Review Terraform plans and HCL files for AWS security misconfigurations before deployment
azure-storage-exposure-auditor
Identify publicly accessible Azure Storage accounts and misconfigured blob containers
aws-tagging-auditor
Audit AWS resource tagging compliance and identify unallocatable spend for FinOps teams
gcp-bigquery-optimizer
Analyze BigQuery query patterns and storage to dramatically reduce the