Claw GRC/Docs
Start Free
🧠

MCP Protocol

The Claw GRC MCP server exposes 8 GRC tools to any Model Context Protocol-compatible AI agent. Connect Claude, GPT-4, or any MCP client to query compliance data, trigger scans, manage agents, and more — all from within an AI's context window.

What is MCP?

The Model Context Protocol (MCP) is an open protocol that enables AI assistants to connect to external tools and data sources in a standardized way. Claw GRC implements an MCP server that exposes your compliance data and operations as callable tools.

Once connected, your AI assistant can answer questions like:

  • "What's our current SOC 2 compliance score and what are the top 5 gaps?"
  • "Show me all critical findings that haven't been resolved in the last 7 days."
  • "Create a ticket for the access control gap in CC6.1 and assign it to the security team."
  • "Register this new agent with read-only capabilities and assign it to me."
  • "Trigger a dependency scan on the api-gateway repository."

Installation

The Claw GRC MCP server is distributed as an npm package. It runs as a local stdio-based server — no separate infrastructure required.

# Install globally
npm install -g claw-grc-mcp-server

# Or run directly with npx (recommended — always uses latest)
npx claw-grc-mcp-server

Claude Desktop Configuration

Add the Claw GRC MCP server to your Claude Desktop configuration file:

~/Library/Application Support/Claude/claude_desktop_config.jsonjson
{
  "mcpServers": {
    "claw-grc": {
      "command": "npx",
      "args": ["-y", "claw-grc-mcp-server@latest"],
      "env": {
        "CLAW_GRC_API_KEY": "cgrc_live_abc123...",
        "CLAW_GRC_ORG_ID": "00000000-0000-0000-0000-000000000001",
        "CLAW_GRC_API_URL": "https://api.clawgrc.com"
      }
    }
  }
}

After updating the config, restart Claude Desktop. You'll see Claw GRCappear in the tools section of Claude's interface.

Get your API key and Org ID

Generate an API key at Dashboard → Settings → API Keys. Find your Org ID at Dashboard → Settings → Organization → Organization ID. The API key needs at minimum read:compliance and read:agents scopes.

Transport Modes

TransportUse CaseConfig
stdioLocal process communication. Used by Claude Desktop and most MCP clients. Zero network exposure.Default
HTTP/SSERemote MCP server for cloud-deployed agents. Exposes an HTTP endpoint with Server-Sent Events.Cloud agents

All 8 MCP Tools

The Claw GRC MCP server exposes 8 tools across three categories. Each tool is documented below with its full parameter signature and an example response.

Compliance Tools (2 tools)

grc.list_frameworks

List available compliance frameworks for the organization.

limitinteger?Max results (default: 50, max: 200)
offsetinteger?Pagination offset (default: 0)
// Example response: { "frameworks": [{ "id": "soc2", "name": "SOC 2 Type II", "active": true, "score": 68 }], "total": 11 }
grc.get_compliance_score

Get the organization's overall compliance score and breakdown, optionally scoped to a specific framework.

framework_idstring?Optional framework ID to scope the score. If omitted, returns overall score.
// Example response: { "score": 72, "total_controls": 95, "compliant_controls": 68 }

Security Tools (4 tools)

grc.list_findings

List security findings with optional severity and status filters.

severitystring?Filter by severity: critical | high | medium | low | info
statusstring?Filter by status
limitinteger?Max results (default: 50, max: 200)
offsetinteger?Pagination offset (default: 0)
// Example response: { "findings": [{ "id": "f_01J8...", "title": "SQL Injection in login", "severity": "critical", "status": "open" }], "total": 12 }
grc.create_finding

Create a new security finding.

titlestringRequired. Finding title.
severitystringRequired. Severity: critical | high | medium | low | info
descriptionstring?Detailed description of the finding.
assessment_idstring?Associated assessment ID.
cwe_idstring?CWE identifier (e.g., "CWE-89").
cvss_scorenumber?CVSS score (0-10).
// Example response: { "id": "f_01J8...", "title": "SQL Injection in login", "severity": "critical", "status": "open" }
grc.create_ticket

Create a remediation ticket linked to a finding or control.

titlestringRequired. Ticket title.
prioritystringRequired. Priority: critical | high | medium | low
descriptionstring?Ticket description.
finding_idstring?Finding ID to link this ticket to.
// Example response: { "id": "tkt_01J8...", "title": "Fix SQL injection", "status": "open" }
grc.trigger_scan

Trigger a security scan for a target URL or resource.

targetstringRequired. URL or resource identifier to scan.
scan_typestring?Scan type: dast | api | cloud_config (default: dast)
// Example response: { "scan_id": "scan_01J8...", "status": "running" }

Agent Tools (2 tools)

grc.discover_agents

Find registered agents by capability and minimum trust score.

capabilitiesstring[]Required. Capabilities the agent must possess.
min_trust_scorenumber?Minimum trust score (0-1).
// Example response: { "agents": [{ "id": "agent_01J8...", "name": "Compliance Scanner", "trust_score": 0.92, "capabilities": ["scan", "report"] }], "total": 3 }
grc.call_agent

Invoke another registered agent by ID, calling a specific method with parameters.

target_agent_idstringRequired. UUID of the agent to invoke.
methodstringRequired. Method to call on the target agent.
paramsobject?Parameters for the method invocation.
// Example response: { "request_id": "req_01J8...", "status": "accepted", "interaction_id": "ix_01J8..." }

Example: Compliance Check Workflow

Here's an example of how an AI agent would use the MCP tools to check compliance status and create tickets for critical findings:

Agent prompt:
"Check our SOC 2 compliance and create tickets for critical findings."

Agent actions (using MCP tools):
1. grc.get_compliance_score({ framework_id: "soc2" })
   → Score: 68%, 95 total controls, 64 compliant

2. grc.list_findings({ severity: "critical", status: "open" })
   → 3 critical open findings

3. grc.create_ticket({ title: "Fix MFA enforcement", priority: "critical", finding_id: "f_01..." })
   → Ticket created: tkt_01J8...

4. grc.discover_agents({ capabilities: ["remediate"] })
   → Found 1 agent with remediation capability

5. grc.call_agent({ target_agent_id: "agent_01...", method: "remediate", params: { finding_id: "f_01..." } })
   → Remediation request accepted

Agent response:
"Your SOC 2 score is 68% (64/95 controls compliant). I found
3 critical findings and created a ticket for the MFA enforcement
gap. I also dispatched the remediation agent to begin working
on the fix."

OpenClaw Agent Integration

If you're running OpenClaw agents, the Claw GRC MCP server integrates natively. OpenClaw agents can self-register, log their own interactions, and query their trust scores — creating a fully autonomous compliance monitoring loop.

openclaw-skill-example.pypython
# OpenClaw skill: auto-register and log interactions
import os
import httpx

CLAW_GRC_API_KEY = os.getenv("CLAW_GRC_API_KEY")
CLAW_GRC_ORG_ID = os.getenv("CLAW_GRC_ORG_ID")
AGENT_ID = os.getenv("CLAW_GRC_AGENT_ID")

async def log_action(action_type: str, action_details: dict):
    """Log every agent action to the Claw GRC tamper-evident audit trail."""
    async with httpx.AsyncClient() as client:
        await client.post(
            "https://api.clawgrc.com/api/v1/agents/{}/interactions".format(AGENT_ID),
            headers={
                "Authorization": f"Bearer {CLAW_GRC_API_KEY}",
                "X-Org-ID": CLAW_GRC_ORG_ID,
            },
            json={
                "action_type": action_type,
                "action_details": action_details,
            }
        )

MCP tool count

The 8 tools above represent the currently implemented MCP surface. Additional tools (control management, evidence uploads, gap analysis, reports) are on the roadmap. Pin a specific version in production (claw-grc-mcp-server@1.0.0) rather than using @latest to avoid breaking changes on update.
🔑
Authentication
Generate the API key needed to authenticate the MCP server
🤖
Agent Registry
Register your agent in Claw GRC before logging interactions via MCP