PlaygroundCatalog › Vendor Security Review
VS

Vendor Security Review

🔵 Stable🕐 updated 2026-06-24 🔷 SkillSpec L3 ⚙ ships an executable helper pm-compliance

Run a third-party / vendor security review and assign a risk tier with required controls. Use when asked to assess a vendor's security, run a third-party risk assessment, complete a security questionnaire about a vendor, or decide what due diligence a new tool needs. Produces a vendor risk assessment — a data/access-driven risk tier, the questionnaire focus, required evidence (SOC 2, pen test, DPA), residual risk, and an approve/conditional/reject recommendation.

▶ Run it free — no key needed 📝 Grade your existing draft View SKILL.md ↗

What to give it

What the vendor does — and the data they'll access (none / internal / customer PII / sensitive / regulated).
Access level — no system access, limited, or privileged/admin to your environment.
Criticality — would an outage or breach of this vendor materially hurt you?
Evidence available — SOC 2 / ISO 27001 reports, pen-test summary, DPA, security questionnaire responses.

✅ The bar it holds itself to

Every skill in this library self-verifies — these are this skill's own quality checks, straight from its definition.

The risk tier is driven by data sensitivity × access × criticality — not vendor size or reputation
Diligence depth matches the tier (no rubber-stamping high-risk; no over-auditing low-risk)
High/Critical vendors are required to provide independent evidence (SOC 2 Type II / ISO 27001 / pen test), not self-attestation
A DPA + sub-processor disclosure is required where the vendor handles personal data
The recommendation is explicit (approve / conditional / reject) with conditions and a re-review date

⚠️ What it refuses to do

Do not size diligence by the vendor's brand — a small vendor with privileged access to PII outranks a famous one with none
Do not accept a SOC 2 Type I as equivalent to Type II — Type I is a point-in-time design check, not operating effectiveness
Do not skip the sub-processor question — your data may flow to fourth parties you never assessed
Do not approve high-risk vendors on a promise — require evidence and bind it in the contract (DPA, breach notice SLA)
Do not treat the review as one-and-done — set a re-review cadence tied to the tier

Install

npx pm-claude-skills add --agent claude   # or codex · cursor · gemini · hermes
# or one-line MCP (every skill, any client):
claude mcp add pm-skills -- npx -y pm-claude-skills-mcp

Related skills

🔌 Embed this skill

Drop this on your blog, docs, or site — it renders a "Run this skill" card:

<div data-pm-skill="vendor-security-review"></div>
<script src="https://mohitagw15856.github.io/pm-claude-skills/embed.js" async></script>

💬 Discussion

Vendor Security Review is one of 599 open-source professional AI agent skills — all SkillSpec L3. Try them all in the browser · ⭐ Star on GitHub · Browse the full catalog