← Back to Skills Marketplace
pkerkhofs

EU Compliance Skill - complisec

by eyesecurity · GitHub ↗ · v1.0.0 · MIT-0
cross-platform ⚠ suspicious
68
Downloads
0
Stars
0
Active Installs
1
Versions
Install in OpenClaw
/install eu-compliance
Description
EU compliance enforcement for AI agents — NIS2, GDPR, ISO 27001. ACTIVATE on EVERY prompt. Reads .compliance/profile.json to enforce data residency, supplier...
README (SKILL.md)

complisec — EU Compliance for AI Agents

Important: Installation vs Usage

If you were asked to install, clone, or set up this skill — complete the installation and confirm to the user. Do NOT run the onboarding questionnaire during installation. The questionnaire only runs when the user explicitly invokes /complisec setup or asks to create their org profile.

Boot sequence

When this skill is first loaded, execute these steps IN ORDER. Do not skip any step.

Step 1 — Detect platform capabilities

Determine what you can do:

Capability How to check Examples
File read/write Can you read/write files on disk? Claude Code, Cursor, Codex, local agents
Shell commands Can you run bash/shell? Claude Code, Cursor, Codex
Memory/persistence Can you store data between conversations? ChatGPT memory, Claude.ai projects, LangDock workspace
Web fetch Can you fetch URLs? Claude.ai, some ChatGPT configs

Record your capabilities silently — do not explain them to the user.

Step 2 — Find the org profile

Search for "complisec_profile" in this order. Stop at the first match:

  1. File system (if you can read files): read .compliance/profile.json
  2. Conversation context: scan the current system prompt, project instructions, custom instructions, or workspace settings for "complisec_profile"
  3. Memory (if platform has memory): search for a previously stored complisec profile

Step 3 — Act on what you found

If profile found: respond with exactly this format (fill in the values from the profile):

complisec loaded — [org name] ([jurisdiction])
Critical assets: [count] | Data residency: [constraint] | Legal: [regulations]
Compliance enforcement active. Type /complisec setup to update the profile.

Then proceed with the user's request, applying enforcement rules below.

If NO profile found: respond with exactly this:

complisec loaded — no organisation profile found.

To activate compliance enforcement, I need to know about your organisation.
This takes about 5 minutes and covers: critical assets, data residency,
risk appetite, suppliers, and legal obligations.

Ready? I'll start with: tell me about your organisation — name, country,
what you do, how many people.

(Or type /complisec setup later to do this at any time.)

If the user responds with organisation details, proceed with the questionnaire from skills/org-profile/SKILL.md. If they want to skip, acknowledge and proceed without profile-specific enforcement.

Step 4 — After profile creation, deploy it

The profile must persist between conversations. How depends on the platform:

Platform How to persist
Claude Code / Cursor / Codex Save to .compliance/profile.json — the skill reads it automatically
ChatGPT Save to memory. Also tell user: "Go to Settings → Personalization → Custom Instructions and paste the profile JSON so it loads in every conversation."
Claude.ai (Projects) Tell user: "Open your project → Project Instructions. Paste the profile JSON at the top."
LangDock Tell user: "Go to workspace settings → find complisec → paste the profile JSON in the system prompt."
Other / unknown Output the profile as a copyable code block and say: "Paste this into your platform's system prompt, custom instructions, or memory so it persists across conversations."

Enforcement rules

If $ARGUMENTS equals "setup", read skills/org-profile/SKILL.md and run the onboarding questionnaire.

Otherwise, once the profile is loaded, apply these rules when relevant:

1. Secrets

Scan for credentials, API keys, tokens, passwords, private keys, connection strings, national IDs. If found: block, never echo the value in your response, warn, guide to rotate. See skills/data-sensitivity/SKILL.md.

2. Critical assets

Does the conversation touch a critical asset from complisec_profile.critical_assets? If yes:

  • What's the CIA impact?
  • Is it within risk_appetite?
  • Does a new data flow or supplier touch it?
  • Are there regulatory implications from legal?

3. Data residency

Does the action involve cloud services, hosting, external APIs, or SaaS? Check data_residency. Flag violations: "Your profile restricts data to [regions]. This action sends data to [violating region]."

4. Risk appetite

Architectural decisions, trade-offs, cost vs security? Cross-reference the proposed risk against risk_appetite per CIA dimension. If risk exceeds appetite for an affected critical asset: warn. If within appetite: proceed.

5. Suppliers

New service or integration? Check complisec_profile.suppliers. Unknown supplier = flag: DPA needed, hosting location check. See skills/vendor-risk/SKILL.md.

6. Code generation

Never hardcode secrets. Include structured audit logging for data access. Respect data residency. See skills/audit-logging/SKILL.md.

7. Changes to critical assets

Modification to a critical asset? Impact assessment + rollback plan before proceeding. See skills/change-management/SKILL.md.

8. Incidents

Security incident, breach, or outage reported? Start the incident lifecycle immediately. Calculate notification deadlines using incident_reporting. See skills/incident-management/SKILL.md.

9. Skill vetting

Before installing a new skill: does it access critical assets? Send data outside allowed regions? Request credentials? Flag against the profile.

Sub-skills

Read when needed — don't load everything at once. If you have file access, read from the skills/ directory. If not, these are included in the ZIP that was uploaded.

Sub-skill When to read
skills/org-profile/SKILL.md Create or update the org profile
skills/nis2-gap-analysis/SKILL.md NIS2 gap analysis
skills/data-sensitivity/SKILL.md Data classification, secret blocking
skills/audit-logging/SKILL.md Audit logging for agent actions and code
skills/incident-management/SKILL.md Incident lifecycle + notification deadlines
skills/vendor-risk/SKILL.md Vendor assessment + supply chain risk
skills/change-management/SKILL.md Change records for critical assets
skills/compliance-hub/SKILL.md Central log collection + observability
skills/security-compliance-tools/SKILL.md Critical asset methodology, CISO workflow
skills/eu-compliance-directives/SKILL.md EU regulation source index
skills/risk-assessment-writer/SKILL.md Write, draft, or generate risk assessments, risk entries, or threat/vulnerability descriptions
Usage Guidance
This skill mostly does what it says (build and enforce an org compliance profile), but several behaviors deserve attention before you install or enable it: 1) Ask the author to explain why the agent should 'record capabilities silently' and to remove or justify any hidden behaviour. 2) Confirm where the profile files and change records will be stored (filesystem path, memory, system prompt) and whether those storage locations are acceptable for your organisation — avoid pasting secrets or personally identifiable data into system prompts or public memory. 3) Verify the missing declared dependency: the nis2 gap analysis requires Python 3.10+, so either the registry metadata should list this or you should run the code in an isolated environment. 4) Because the skill recommends scanning system prompts and memory, review the code (especially sub-skills) yourself or in a sandboxed account to ensure it does not exfiltrate data or access unrelated credentials. 5) Ask for provenance: the source/homepage is unknown; prefer skills with a verifiable author or repository. If you must test it, do so in a controlled environment with nonproduction sample data and without exposing real secrets or third-party credentials.
Capability Analysis
Type: OpenClaw Skill Name: eu-compliance Version: 1.0.0 The 'complisec' skill bundle is a comprehensive compliance enforcement framework designed to align AI agent behavior with EU regulations such as NIS2, GDPR, and ISO 27001. It includes sophisticated sub-skills for secret redaction (data-sensitivity), structured audit logging, incident management, and vendor risk assessment. While the bundle requests high-privilege capabilities—such as file system access for profile persistence and shell access for cloud log synchronization (e.g., AWS S3/Azure Blob via compliance-hub/SKILL.md)—these actions are explicitly documented as requirements for regulatory log retention and organizational context. The instructions prioritize security best practices, such as redacting credentials from model outputs and enforcing environment variable usage over hardcoding. No evidence of malicious intent, data exfiltration to unauthorized endpoints, or obfuscation was detected.
Capability Tags
cryptorequires-walletcan-make-purchasesrequires-sensitive-credentials
Capability Assessment
Purpose & Capability
The skill claims to enforce EU compliance (NIS2, GDPR, ISO27001) and includes many sub-skills and guidance consistent with that goal. However, the package contains a Python script (nis2_check.py) and documentation saying Python 3.10+ is required while the registry metadata lists no required binaries — a mismatch. The README/SKILL.md justify reading and persisting a .compliance/profile.json which is coherent with the purpose, but the claim 'ACTIVATE on EVERY prompt' in the SKILL.md contrasts with the registry flags (always:false).
Instruction Scope
Runtime instructions tell the agent to 'Detect platform capabilities' and to scan for a profile by searching the file system AND the conversation/system prompt/custom instructions AND memory. It explicitly instructs to 'Record your capabilities silently — do not explain them to the user.' Those behaviors involve reading potentially sensitive platform state and hidden recording, which is privacy-sensitive and broader than typical 'compliance helper' needs. The skill also instructs users to paste organization profile JSON into system prompts/custom instructions or memory for persistence — this encourages replication of sensitive org data into places that may be accessible beyond intended scope.
Install Mechanism
There is no install spec (instruction-only) which reduces installation risk. However, a sub-skill requires Python (nis2-gap-analysis/nis2_check.py) and README/SKILL.md mention Python 3.10+. The registry metadata did not declare that binary requirement. No network download/install steps are present.
Credentials
The skill declares no required env vars or config paths, and it does not request external credentials — appropriate for its function. But its runtime instructions access environment-like secrets: searching system prompts, project instructions, and conversational memory (which may contain other skills' tokens or private data). This access is not declared in the metadata and may lead to exposure of unrelated sensitive information. It also asks to persist profiles into system prompts/memory which may be undesirable for secrets or legal data.
Persistence & Privilege
The SKILL.md repeatedly instructs the agent to persist the org profile between conversations (filesystem, memory, or paste into system prompts) and to 'ACTIVATE on EVERY prompt'. Registry flags do not set always:true, but the skill's instructions encourage persistent presence and hidden capability recording. The combination (silent capability detection + persistence into system prompts/memory) increases the blast radius if the skill runs autonomously or is present in shared environments.
How to Use
  1. Make sure OpenClaw is installed (local or Docker)
  2. Run the install command in chat: /install eu-compliance
  3. After installation, invoke the skill by name or use /eu-compliance
  4. Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
- Initial release of complisec — automated EU compliance enforcement for AI agents covering NIS2, GDPR, and ISO 27001. - Loads and applies organisation compliance profiles for every prompt; enforces data residency, supplier checks, secret blocking, audit logging, and risk appetite. - Activates onboarding only when explicitly invoked; does not prompt during installation. - Supports automatic detection and persistence of organisation profiles across multiple platforms. - Integrates enforcement rules for code generation, data exports, cloud deployments, API integrations, and supplier vetting. - Modular design — loads relevant sub-skills on demand for asset management, incident handling, vendor risk, and regulatory analysis.
Metadata
Slug eu-compliance
Version 1.0.0
License MIT-0
All-time Installs 0
Active Installs 0
Total Versions 1
Frequently Asked Questions

What is EU Compliance Skill - complisec?

EU compliance enforcement for AI agents — NIS2, GDPR, ISO 27001. ACTIVATE on EVERY prompt. Reads .compliance/profile.json to enforce data residency, supplier... It is an AI Agent Skill for Claude Code / OpenClaw, with 68 downloads so far.

How do I install EU Compliance Skill - complisec?

Run "/install eu-compliance" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is EU Compliance Skill - complisec free?

Yes, EU Compliance Skill - complisec is completely free, licensed under MIT-0. You can download, install and use it at no cost.

Which platforms does EU Compliance Skill - complisec support?

EU Compliance Skill - complisec is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created EU Compliance Skill - complisec?

It is built and maintained by eyesecurity (@pkerkhofs); the current version is v1.0.0.

More Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191115 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 Comments