VS
Vendor Security Review
🔵 Stable🕐 updated 2026-06-24
🔷 SkillSpec L3
⚙ ships an executable helper
pm-compliance
Run a third-party / vendor security review and assign a risk tier with required controls. Use when asked to assess a vendor's security, run a third-party risk assessment, complete a security questionnaire about a vendor, or decide what due diligence a new tool needs. Produces a vendor risk assessment — a data/access-driven risk tier, the questionnaire focus, required evidence (SOC 2, pen test, DPA), residual risk, and an approve/conditional/reject recommendation.
What to give it
▸What the vendor does — and the data they'll access (none / internal / customer PII / sensitive / regulated).
▸Access level — no system access, limited, or privileged/admin to your environment.
▸Criticality — would an outage or breach of this vendor materially hurt you?
▸Evidence available — SOC 2 / ISO 27001 reports, pen-test summary, DPA, security questionnaire responses.
✅ The bar it holds itself to
Every skill in this library self-verifies — these are this skill's own quality checks, straight from its definition.
✓The risk tier is driven by data sensitivity × access × criticality — not vendor size or reputation
✓Diligence depth matches the tier (no rubber-stamping high-risk; no over-auditing low-risk)
✓High/Critical vendors are required to provide independent evidence (SOC 2 Type II / ISO 27001 / pen test), not self-attestation
✓A DPA + sub-processor disclosure is required where the vendor handles personal data
✓The recommendation is explicit (approve / conditional / reject) with conditions and a re-review date
⚠️ What it refuses to do
Do not size diligence by the vendor's brand — a small vendor with privileged access to PII outranks a famous one with none
Do not accept a SOC 2 Type I as equivalent to Type II — Type I is a point-in-time design check, not operating effectiveness
Do not skip the sub-processor question — your data may flow to fourth parties you never assessed
Do not approve high-risk vendors on a promise — require evidence and bind it in the contract (DPA, breach notice SLA)
Do not treat the review as one-and-done — set a re-review cadence tied to the tier
Install
npx pm-claude-skills add --agent claude # or codex · cursor · gemini · hermes
# or one-line MCP (every skill, any client):
claude mcp add pm-skills -- npx -y pm-claude-skills-mcp
Related skills
🔌 Embed this skill
Drop this on your blog, docs, or site — it renders a "Run this skill" card:
<div data-pm-skill="vendor-security-review"></div>
<script src="https://mohitagw15856.github.io/pm-claude-skills/embed.js" async></script>
💬 Discussion
Vendor Security Review is one of 599 open-source professional AI agent skills — all SkillSpec L3.
Try them all in the browser · ⭐ Star on GitHub · Browse the full catalog