2

    Legal, Security & Compliance Auditor

    by rayyer

    Adaptive GDPR, CCPA, security, and AI compliance audit with severity-graded findings and law citations

    Updated Jun 2026
    Security scanned
    TypeScript

    $10

    · or 50 credits

    30-day refund guarantee

    Secure checkout via Stripe

    Also available in a bundle

    Compliance & Audit Suite — Ship-Ready Bundle

    4 skills · $25

    Save 38%
    View bundle

    Included in download

    • Identify PII leakage in logging and third-party analytics calls.
    • Verify password hashing and encryption-at-rest against industry standards.
    • file_read, file_write automation included
    • Ready for TypeScript
    • Instant install

    Sample input

    I'm launching a SaaS app (Next.js + Prisma + Clerk + OpenAI) in the EU and California next month. Run a full privacy and compliance audit and tell me what to fix first.

    Sample output

    Scope determined: GDPR + UK GDPR + CCPA/CPRA + Security + LLM. LGPD/PIPL/DPDPA not in scope.

    I scanned 142 source files. Writing the full report to COMPLIANCE_AUDIT.md.

    Summary: 20 findings — 3 Critical, 6 High, 7 Medium, 4 Low.

    Top priority right now: an OpenAI API key was committed in PR #214 and never rotated. The key is reachable via git log --all -S 'sk-proj-' even though it was removed in a later commit. Rotate it in the OpenAI dashboard now, then install gitleaks as a pre-commit hook.

    Other Critical findings:

    • Request middleware logs full POST bodies — passwords leak to Sentry on signup (src/middleware.ts:18).
    • No account-deletion endpoint exists (GDPR Art. 17, CCPA §1798.105). The schema has no anonymization helpers either.

    Recommended order: fix the 3 Criticals this week. Add the EU cookie consent gate and "Do Not Sell or Share" link before launch. The full report at COMPLIANCE_AUDIT.md contains file:line for each finding, the article cited, and a concrete fix.

    This audit is an engineering checklist, not legal counsel. Consult a qualified data protection lawyer for binding decisions.

    Screenshots

    About This Skill

    Ship to production with confidence. This skill runs a deep privacy and security audit of your codebase and produces a single, prioritized report — like having a junior data-protection engineer on call.

    What it audits

    • GDPR + UK GDPR — 23 checks: lawful basis, consent, all data-subject rights (Art. 15–22), data protection by design, security, breach notification, international transfers
    • CCPA / CPRA — 17 checks: notice at collection, sale/share opt-out, Global Privacy Control, minor opt-in, sensitive PI, request response SLA
    • Data security — 20 checks: password hashing, encryption at rest and in transit, secrets in code, PII in logs, JWT and session security, SQL injection, security headers, CORS
    • LLM disclosure & AI compliance — 16 checks: AI labeling, inaccuracy warnings, data sent to providers, EU AI Act Art. 50, prompt injection, vector store privacy, automated decisions
    • LGPD (Brazil), PIPL (China), DPDPA (India) — 24 conditional checks loaded only when the skill detects you target those markets

    How it works

    1. Detects target markets from i18n files, currencies, domains, languages, framework signals. Asks if signals are ambiguous.
    2. Maps your PII surface — database models, API endpoints, forms, logs, third parties, LLM integrations, cookies, auth flows.
    3. Runs applicable checklists against the map.
    4. Writes COMPLIANCE_AUDIT.md with Critical / High / Medium / Low findings. Every finding has the exact file:line, the article cited (e.g. "GDPR Art. 17(1)(a)"), what's wrong, why it matters, and a concrete fix.

    Why this skill stands out

    • Adaptive scope — auto-detects target jurisdictions, so you get only the checks that apply
    • Concrete fixes, not vague advice — "Replace SHA-256 with argon2id (m=19456 KB, t=2, p=1), migrate on next login" beats "use stronger hashing"
    • Honest boundaries — produces an engineering audit, not legal advice; report ends with disclaimer recommending qualified counsel
    • Agent-agnostic — Claude Code, Cursor, Codex CLI, VS Code Copilot, Gemini CLI, Windsurf
    • Stack-aware — recognizes Prisma, Drizzle, TypeORM, SQLAlchemy, Django ORM, Active Record, Mongoose, plus Next.js, FastAPI, Express, NestJS, Rails routing

    Who it's for

    • Founders preparing for production launch in EU / UK / US
    • Engineers preparing for a SOC 2 / ISO 27001 / DPIA review
    • Teams adding AI features who need to disclose properly
    • Anyone shipping a product that touches user data

    Trigger phrases

    The skill auto-loads when you naturally ask things like:
    • "Check my app for GDPR compliance"
    • "Do a privacy audit before launch"
    • "Find data protection issues"
    • "Audit my codebase for personal data handling"
    • "Review my app before launching in the EU"

    Limitations

    Static review only. Does not write fixes (you decide what to change), does not generate Privacy Policy / Terms text, does not certify compliance. Consult a qualified data protection lawyer for binding decisions.

    Use Cases

    • Identify PII leakage in logging and third-party analytics calls.
    • Verify password hashing and encryption-at-rest against industry standards.
    • Check for required user rights endpoints like data deletion and export.
    • Audit LLM integrations for proper user data handling and disclosure.
    • Generate a severity-graded compliance report for legal stakeholders.

    Reviews

    No reviews yet - be the first to share your experience.

    Only users who have downloaded or purchased this skill can leave a review.

    Security Scanned

    Passed automated security review

    Permissions

    Read Files
    Write Files

    File Scopes

    **/*.{ts,tsx,js,jsx,mjs,cjs}
    **/*.{py,rb,go,java,cs,php,rs,swift,kt}
    **/*.{json,yaml,yml,toml,xml}
    **/.env*
    **/schema.prisma
    **/migrations/**
    **/legal/**
    **/privacy*
    **/terms*
    COMPLIANCE_AUDIT.md

    This skill performs static analysis only. It reads source files to detect PII handling patterns, ORM schemas, API routes, third-party SDK usage, and configuration. It writes a single file (COMPLIANCE_AUDIT.md) at the repository root with the audit report. No network calls, no shell commands, no environment variable reads, no telemetry. The "Network Access" permission auto-detected from the ZIP is a false positive — the skill discusses third-party APIs in its checklists but never invokes them.

    Tags

    compliance
    data-privacy
    gdpr
    llm-safety
    security-audit

    No runtime dependencies. Pure markdown skill — works on any codebase. Pattern recognition for modern stacks: Node/TypeScript, Python, Ruby, PHP, Go, Java, Rust, C#, Swift, Kotlin. Compatible with any agent supporting the SKILL.md standard.

    Creator

    rayyer

    Frequently Asked Questions

    Learn More About AI Agent Skills

    More Premium Skills

    PII & Data-Leak Scanner

    PII & Data-Leak Scanner

    Scan your schemas, seed data, config, and logs for personal data before it leaks. Detects PII-indicating column and key names (email, ssn, phone, address) across SQL, CSV, and JSON, plus PII in the data itself: email addresses, SSN-like numbers, credit-card-like numbers, phone numbers, and PII written into log files. Each finding is flagged with its location and a GDPR-style review note. Heuristic by design: it surfaces what to review, not a compliance guarantee.

    $153 installs

    Bounty Security Pattern Master Library — 399 Vulnerability Patterns

    A premium library of 399 vulnerability patterns and DeFi attack vectors for AI-driven bug hunting and security audits.

    $758 installs

    designing-hybrid-context-layers

    Architects the right retrieval strategy for every query — teaching your agent when to use RAG, a knowledge graph, or a temporal index instead of defaulting to vector search for everything.

    $1015 installs

    ai-automation-qa-pack

    Professional QA & UAT documentation generator for AI automation agencies and complex agent deployments.

    $59 installs

    $10