2

    Legal, Security & Compliance Auditor

    by rayyer

    Adaptive GDPR, CCPA, security, and AI compliance audit with severity-graded findings and law citations

    Updated May 2026
    Security scanned
    One-time purchase
    TypeScript

    $10

    One-time purchase

    30-day refund guarantee

    Secure checkout via Stripe

    Included in download

    • Identify PII leakage in logging and third-party analytics calls.
    • Verify password hashing and encryption-at-rest against industry standards.
    • file_read, file_write automation included
    • Ready for TypeScript
    • Instant install

    Sample Output

    A real example of what this skill produces.

    Scope determined: GDPR + UK GDPR + CCPA/CPRA + Security + LLM. LGPD/PIPL/DPDPA not in scope.

    I scanned 142 source files. Writing the full report to COMPLIANCE_AUDIT.md.

    Summary: 20 findings — 3 Critical, 6 High, 7 Medium, 4 Low.

    Top priority right now: an OpenAI API key was committed in PR #214 and never rotated. The key is reachable via git log --all -S 'sk-proj-' even though it was removed in a later commit. Rotate it in the OpenAI dashboard now, then install gitleaks as a pre-commit hook.

    Other Critical findings:

    • Request middleware logs full POST bodies — passwords leak to Sentry on signup (src/middleware.ts:18).
    • No account-deletion endpoint exists (GDPR Art. 17, CCPA §1798.105). The schema has no anonymization helpers either.

    Recommended order: fix the 3 Criticals this week. Add the EU cookie consent gate and "Do Not Sell or Share" link before launch. The full report at COMPLIANCE_AUDIT.md contains file:line for each finding, the article cited, and a concrete fix.

    This audit is an engineering checklist, not legal counsel. Consult a qualified data protection lawyer for binding decisions.

    Screenshots

    About This Skill

    Ship to production with confidence. This skill runs a deep privacy and security audit of your codebase and produces a single, prioritized report — like having a junior data-protection engineer on call.

    What it audits

    • GDPR + UK GDPR — 23 checks: lawful basis, consent, all data-subject rights (Art. 15–22), data protection by design, security, breach notification, international transfers
    • CCPA / CPRA — 17 checks: notice at collection, sale/share opt-out, Global Privacy Control, minor opt-in, sensitive PI, request response SLA
    • Data security — 20 checks: password hashing, encryption at rest and in transit, secrets in code, PII in logs, JWT and session security, SQL injection, security headers, CORS
    • LLM disclosure & AI compliance — 16 checks: AI labeling, inaccuracy warnings, data sent to providers, EU AI Act Art. 50, prompt injection, vector store privacy, automated decisions
    • LGPD (Brazil), PIPL (China), DPDPA (India) — 24 conditional checks loaded only when the skill detects you target those markets

    How it works

    1. Detects target markets from i18n files, currencies, domains, languages, framework signals. Asks if signals are ambiguous.
    2. Maps your PII surface — database models, API endpoints, forms, logs, third parties, LLM integrations, cookies, auth flows.
    3. Runs applicable checklists against the map.
    4. Writes COMPLIANCE_AUDIT.md with Critical / High / Medium / Low findings. Every finding has the exact file:line, the article cited (e.g. "GDPR Art. 17(1)(a)"), what's wrong, why it matters, and a concrete fix.

    Why this skill stands out

    • Adaptive scope — auto-detects target jurisdictions, so you get only the checks that apply
    • Concrete fixes, not vague advice — "Replace SHA-256 with argon2id (m=19456 KB, t=2, p=1), migrate on next login" beats "use stronger hashing"
    • Honest boundaries — produces an engineering audit, not legal advice; report ends with disclaimer recommending qualified counsel
    • Agent-agnostic — Claude Code, Cursor, Codex CLI, VS Code Copilot, Gemini CLI, Windsurf
    • Stack-aware — recognizes Prisma, Drizzle, TypeORM, SQLAlchemy, Django ORM, Active Record, Mongoose, plus Next.js, FastAPI, Express, NestJS, Rails routing

    Who it's for

    • Founders preparing for production launch in EU / UK / US
    • Engineers preparing for a SOC 2 / ISO 27001 / DPIA review
    • Teams adding AI features who need to disclose properly
    • Anyone shipping a product that touches user data

    Trigger phrases

    The skill auto-loads when you naturally ask things like:
    • "Check my app for GDPR compliance"
    • "Do a privacy audit before launch"
    • "Find data protection issues"
    • "Audit my codebase for personal data handling"
    • "Review my app before launching in the EU"

    Limitations

    Static review only. Does not write fixes (you decide what to change), does not generate Privacy Policy / Terms text, does not certify compliance. Consult a qualified data protection lawyer for binding decisions.

    Use Cases

    • Identify PII leakage in logging and third-party analytics calls.
    • Verify password hashing and encryption-at-rest against industry standards.
    • Check for required user rights endpoints like data deletion and export.
    • Audit LLM integrations for proper user data handling and disclosure.
    • Generate a severity-graded compliance report for legal stakeholders.

    Reviews

    No reviews yet - be the first to share your experience.

    Only users who have downloaded or purchased this skill can leave a review.

    Security Scanned

    Passed automated security review

    Permissions

    Read Files
    Write Files

    File Scopes

    **/*.{ts,tsx,js,jsx,mjs,cjs}
    **/*.{py,rb,go,java,cs,php,rs,swift,kt}
    **/*.{json,yaml,yml,toml,xml}
    **/.env*
    **/schema.prisma
    **/migrations/**
    **/legal/**
    **/privacy*
    **/terms*
    COMPLIANCE_AUDIT.md

    This skill performs static analysis only. It reads source files to detect PII handling patterns, ORM schemas, API routes, third-party SDK usage, and configuration. It writes a single file (COMPLIANCE_AUDIT.md) at the repository root with the audit report. No network calls, no shell commands, no environment variable reads, no telemetry. The "Network Access" permission auto-detected from the ZIP is a false positive — the skill discusses third-party APIs in its checklists but never invokes them.

    Tags

    compliance
    security-audit
    gdpr
    data-privacy
    llm-safety

    No runtime dependencies. Pure markdown skill — works on any codebase. Pattern recognition for modern stacks: Node/TypeScript, Python, Ruby, PHP, Go, Java, Rust, C#, Swift, Kotlin. Compatible with any agent supporting the SKILL.md standard.

    Creator

    rayyer

    Frequently Asked Questions

    Learn More About AI Agent Skills

    More Premium Skills

    designing-hybrid-context-layers

    Architects the right retrieval strategy for every query — teaching your agent when to use RAG, a knowledge graph, or a temporal index instead of defaulting to vector search for everything.

    $1012 installs

    consumer-motivation-analyzer

    Go beyond surface-level feedback to uncover the psychological drivers and hidden motivations behind buyer behavior.

    $199 installs

    diagnosing-rag-failure-modes

    RAG fails quietly. It retrieves documents, returns confident-looking answers, and misses the question entirely — because the question required connecting facts across documents, reasoning about sequence, or tracing causation. This skill gives you a five-question diagnostic checklist that classifies any failing query as either RAG-safe or structurally RAG-incompatible, then maps it to the specific failure pattern and the architectural fix that resolves it.

    $105 installs

    keyword-research

    Transform URLs or product lists into SEO keyword research packs with Google Ads data and intent-based clustering.

    $75 installs

    $10