AI Data Exposure and Vendor Risk Assessor — Decide What's Safe to Send to an AI Vendor Before You Send It
Before you send proprietary or sensitive data to an AI vendor, assess the risk. Classifies what's actually your moat versus regulated, contractual, or harmless data, maps the real exposure vectors by vendor tier, lists the questions to get in writing, and gives a send / send-with-controls / keep-in-house recommendation per data type.
- Classify data sensitivity to determine if it belongs in a public or private LLM.
- Evaluate vendor-specific exposure like model training and human review policies.
- Generate precise due diligence questions for AI vendor security reviews.
$14
· or 70 creditsSecure checkout via Stripe
Included in download
- Classify data sensitivity to determine if it belongs in a public or private LLM.
- Evaluate vendor-specific exposure like model training and human review policies.
- file_read, file_write automation included
- Ready for including Claude Code
Media gallery
See it in action
You say
We want to use a hosted LLM vendor's enterprise API tier to summarize our internal product roadmap and customer feedback logs. Which parts are safe to send, which need controls, and what should we get in writing from the vendor first?
Your agent does
### Assessment Summary **Data Classification:** - Product Roadmap: Proprietary moat (high sensitivity; value depends on exclusivity). - Customer Feedback Logs: Regulated / contractual (likely contains PII). **Exposure Vectors to Verify for This Tier (do not assume — confirm in writing):** - Training on inputs: is your data excluded from model training on this tier? - Retention: how long are inputs/outputs stored, and is a zero-retention option available? - Human review: is there human review for safety/abuse monitoring, and can it be scoped or opted out of? - Sub-processors and jurisdiction: who else processes the data, and in which regions? - Output memorization: any risk of your content surfacing in other users' outputs? **Recommendation (per data type):** - Roadmap: Send with controls — redact unreleased project names/dates; require a written no-training commitment before sending; otherwise keep in-house. - Feedback Logs: Send with controls — scrub or pseudonymize PII and minimize fields; confirm the DPA covers this use. **Questions to Get in Writing from the Vendor:** - Does our contract/DPA include a no-training and zero- or limited-retention option on this tier? - Can we opt out of or scope any human review / safety logging? - Who are the sub-processors and what are the data residency options? Note: This is decision-support, not legal advice, and it does not assert what any specific vendor does with your data — tier terms vary and change, so confirm the above directly with the vendor and your counsel.
AI Data Exposure and Vendor Risk Assessor — Decide What's Safe to Send to an AI Vendor Before You Send It
Before you send proprietary or sensitive data to an AI vendor, assess the risk. Classifies what's actually your moat versus regulated, contractual, or harmless data, maps the real exposure vectors by vendor tier, lists the questions to get in writing, and gives a send / send-with-controls / keep-in-house recommendation per data type.
$14
· or 70 creditsSecure checkout via Stripe
Included in download
- Classify data sensitivity to determine if it belongs in a public or private LLM.
- Evaluate vendor-specific exposure like model training and human review policies.
- file_read, file_write automation included
- Ready for including Claude Code
- Instant install
Media gallery
See it in action
You say
We want to use a hosted LLM vendor's enterprise API tier to summarize our internal product roadmap and customer feedback logs. Which parts are safe to send, which need controls, and what should we get in writing from the vendor first?
Your agent does
### Assessment Summary **Data Classification:** - Product Roadmap: Proprietary moat (high sensitivity; value depends on exclusivity). - Customer Feedback Logs: Regulated / contractual (likely contains PII). **Exposure Vectors to Verify for This Tier (do not assume — confirm in writing):** - Training on inputs: is your data excluded from model training on this tier? - Retention: how long are inputs/outputs stored, and is a zero-retention option available? - Human review: is there human review for safety/abuse monitoring, and can it be scoped or opted out of? - Sub-processors and jurisdiction: who else processes the data, and in which regions? - Output memorization: any risk of your content surfacing in other users' outputs? **Recommendation (per data type):** - Roadmap: Send with controls — redact unreleased project names/dates; require a written no-training commitment before sending; otherwise keep in-house. - Feedback Logs: Send with controls — scrub or pseudonymize PII and minimize fields; confirm the DPA covers this use. **Questions to Get in Writing from the Vendor:** - Does our contract/DPA include a no-training and zero- or limited-retention option on this tier? - Can we opt out of or scope any human review / safety logging? - Who are the sub-processors and what are the data residency options? Note: This is decision-support, not legal advice, and it does not assert what any specific vendor does with your data — tier terms vary and change, so confirm the above directly with the vendor and your counsel.
About This Skill
Sending data to an AI vendor is now a routine decision made with almost no structure, and the anxiety is real: is the proprietary corpus that is our moat about to train a competitor's model, is customer data leaving our control, what does this vendor actually retain? The honest answer is usually nuanced — some data is completely fine to send to an enterprise zero-retention tier, and some genuinely should never leave your environment — but teams rarely have a way to tell which is which. AI Data Exposure and Vendor Risk Assessor runs that assessment. Describe the data, the use case, and the vendor and tier, and it classifies each data element as moat, regulated, contractual, or low-sensitivity; maps the real exposure vectors for that tier — training on inputs, retention, sub-processors, output memorization, jurisdiction — and distinguishes default consumer behavior from enterprise and self-hosted terms, which are often opposite; lists the exact questions to get in writing from the vendor before anything is sent; and gives a tiered recommendation per data type: send freely, send with specific controls (redaction, minimization, a no-training agreement, region restriction), or keep in-house. It is even-handed, not anti-AI — the right answer is often that the data is fine on an enterprise no-training tier, and it says so — and it reserves the highest bar for the true moat, whose value depends on exclusivity. The download includes three reference files: the data-sensitivity worksheet, an exposure-vectors and vendor-questions guide, and a worked sample assessment. It is decision-support, not legal advice, and it does not assert what any named vendor does with your data — terms vary by tier and change, so it tells you what to verify directly. Works with Claude Code, Cursor, Codex CLI, Gemini CLI, and any SKILL.md agent.
Use Cases
- Classify data sensitivity to determine if it belongs in a public or private LLM.
- Evaluate vendor-specific exposure like model training and human review policies.
- Generate precise due diligence questions for AI vendor security reviews.
- Establish technical controls like redaction or pseudonymization for AI workflows.
Known Limitations
This is decision-support, not legal advice, and it does not certify or guarantee compliance, security, or safety — confirm conclusions with your counsel and security team. It assesses risk only from what you describe; it does not scan, read, or classify your actual data, connect to any AI vendor, monitor live data flows, or verify a vendor's real infrastructure. It does not assert what any specific named vendor does with your data — tier terms vary and change, so it tells you what to confirm in writing rather than stating vendor behavior as fact. Output quality depends on the accuracy of the data, use case, vendor, and tier you provide. It performs a point-in-time assessment with no automatic, ongoing, or lifetime updates and no vendor integration.
How to install
Drop the file into your AI tool. Works with Claude, Cursor, ChatGPT, and 20+ more.
Reviews
No reviews yet - be the first to share your experience.
Only users who have downloaded or purchased this skill can leave a review.
Early access skill
Be the first to review this skill.
Only users who have downloaded or purchased this skill can leave a review.
Security Scanned
Passed automated security review
Permissions
File Scopes
This skill only needs to read the inputs you provide and its own bundled reference files, and to write out the assessment. It requires Read Files and Write Files only. It does not run terminal commands, open a browser, make network connections, or read environment variables, and it connects to no external hosts — all analysis happens locally from what you describe. Terminal, Browser, Network, and Environment Variables are intentionally left off.
Tags
Works with any agent that supports the open SKILL.md standard, including Claude Code, Cursor, Codex CLI, Gemini CLI, and VS Code Copilot. Requires an agent with local file read/write access; no network, terminal, or environment access is used. Includes SKILL.md plus three reference files (data-sensitivity-worksheet.md, exposure-vectors-and-vendor-questions.md, sample-exposure-assessment.md).