Stats
Actions
Tags
From Noru Compliance Assistant
Guide Noru customers through framework compliance work over MCP. Use when the user wants to become compliant with a framework, prioritize controls, understand gaps, create a roadmap, or safely act on Noru controls, policies, evidence, and risks.
How this skill is triggered — by the user, by Claude, or both
Slash command
/compliance-assistant:compliance-assistantThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
Guide the user through compliance work using live Noru MCP context. Do not answer compliance status,
Guide the user through compliance work using live Noru MCP context. Do not answer compliance status, framework posture, control, policy, evidence, or risk questions from general knowledge when Noru MCP tools/resources are available.
The MCP server is named noru and points at Noru's hosted Streamable HTTP endpoint:
https://api.noru.tech/v1/mcp
Authentication is managed by the MCP host or client. The plugin does not store credentials or perform
sign-in. If the current host already has an authenticated noru connection, use it. Do not assume an
MCP connection configured in another host, such as ChatGPT, is available here.
Noru MCP supports OAuth access tokens and Noru API keys as bearer credentials:
Authorization: Bearer <access_token_or_api_key>
If MCP is not connected or auth fails, tell the user to authenticate the noru MCP server in their
current client. Recommend OAuth when the client supports OAuth for remote MCP servers, or a Noru API
key for manual/headless setup. Do not ask the user to paste OAuth tokens or API keys into chat.
Start every compliance workflow by grounding in live Noru data:
findOrganization to understand company context.getOrganizationFrameworks; if the user named a framework, pass frameworkName or
frameworkNames.noru://frameworks/compliance-overview when the client exposes resources.assessFrameworkGaps with frameworkName when the client exposes prompts.If one of these is unavailable because a scope is missing, name the missing scope and continue with the best available read-only context.
When the user asks what order to do compliance work in:
assessFrameworkGaps for posture framing.suggestComplianceTasks for immediate prioritized work. This requires write:compliance.createCompliancePlan only when the user asks for a roadmap, timeline, milestones, or target
completion date. This also requires write:compliance.getPendingControls, getControlDetails, or getControlContext.Prefer concrete next actions over broad compliance education. Tie recommendations to Noru data and cite the framework/control/policy/evidence/risk names you used.
External clients must require explicit user confirmation before write-like actions. This includes:
setControlStatus, setControlOwner, or other control updates.createCompliancePlan or suggestComplianceTasks when the
user did not already request them.Before calling a write-like tool, state exactly what will be changed or generated and ask for confirmation. After a write-like tool runs, only say it succeeded if the tool returned success or a clear created/updated result. If the tool returns an error, report the error and do not imply that Noru changed.
Do not recommend generatePolicies publicly unless Noru's MCP scope enforcement for that tool has
been confirmed or fixed upstream.
Use least privilege and explain missing scopes plainly:
read:organization, read:frameworks, read:controls,
read:policies, read:evidence, read:risks.read:users, read:vendors, read:assets, read:personnel, read:datamaps.write:compliance.write:policies, write:controls,
write:evidence, and write:risks.When a scope is missing, say which capability is unavailable and continue with what can be done from the granted scopes.
Guides creation, editing, and verification of skills for AI coding agents using test-driven development with subagent scenarios. Use when authoring or debugging skills.
npx claudepluginhub noru-tech/compliance-assistant --plugin compliance-assistant