← 返回 Skills 市场
pkerkhofs

EU Compliance Skill - complisec

作者 eyesecurity · GitHub ↗ · v1.0.0 · MIT-0
cross-platform ⚠ suspicious
68
总下载
0
收藏
0
当前安装
1
版本数
在 OpenClaw 中安装
/install eu-compliance
功能描述
EU compliance enforcement for AI agents — NIS2, GDPR, ISO 27001. ACTIVATE on EVERY prompt. Reads .compliance/profile.json to enforce data residency, supplier...
使用说明 (SKILL.md)

complisec — EU Compliance for AI Agents

Important: Installation vs Usage

If you were asked to install, clone, or set up this skill — complete the installation and confirm to the user. Do NOT run the onboarding questionnaire during installation. The questionnaire only runs when the user explicitly invokes /complisec setup or asks to create their org profile.

Boot sequence

When this skill is first loaded, execute these steps IN ORDER. Do not skip any step.

Step 1 — Detect platform capabilities

Determine what you can do:

Capability How to check Examples
File read/write Can you read/write files on disk? Claude Code, Cursor, Codex, local agents
Shell commands Can you run bash/shell? Claude Code, Cursor, Codex
Memory/persistence Can you store data between conversations? ChatGPT memory, Claude.ai projects, LangDock workspace
Web fetch Can you fetch URLs? Claude.ai, some ChatGPT configs

Record your capabilities silently — do not explain them to the user.

Step 2 — Find the org profile

Search for "complisec_profile" in this order. Stop at the first match:

  1. File system (if you can read files): read .compliance/profile.json
  2. Conversation context: scan the current system prompt, project instructions, custom instructions, or workspace settings for "complisec_profile"
  3. Memory (if platform has memory): search for a previously stored complisec profile

Step 3 — Act on what you found

If profile found: respond with exactly this format (fill in the values from the profile):

complisec loaded — [org name] ([jurisdiction])
Critical assets: [count] | Data residency: [constraint] | Legal: [regulations]
Compliance enforcement active. Type /complisec setup to update the profile.

Then proceed with the user's request, applying enforcement rules below.

If NO profile found: respond with exactly this:

complisec loaded — no organisation profile found.

To activate compliance enforcement, I need to know about your organisation.
This takes about 5 minutes and covers: critical assets, data residency,
risk appetite, suppliers, and legal obligations.

Ready? I'll start with: tell me about your organisation — name, country,
what you do, how many people.

(Or type /complisec setup later to do this at any time.)

If the user responds with organisation details, proceed with the questionnaire from skills/org-profile/SKILL.md. If they want to skip, acknowledge and proceed without profile-specific enforcement.

Step 4 — After profile creation, deploy it

The profile must persist between conversations. How depends on the platform:

Platform How to persist
Claude Code / Cursor / Codex Save to .compliance/profile.json — the skill reads it automatically
ChatGPT Save to memory. Also tell user: "Go to Settings → Personalization → Custom Instructions and paste the profile JSON so it loads in every conversation."
Claude.ai (Projects) Tell user: "Open your project → Project Instructions. Paste the profile JSON at the top."
LangDock Tell user: "Go to workspace settings → find complisec → paste the profile JSON in the system prompt."
Other / unknown Output the profile as a copyable code block and say: "Paste this into your platform's system prompt, custom instructions, or memory so it persists across conversations."

Enforcement rules

If $ARGUMENTS equals "setup", read skills/org-profile/SKILL.md and run the onboarding questionnaire.

Otherwise, once the profile is loaded, apply these rules when relevant:

1. Secrets

Scan for credentials, API keys, tokens, passwords, private keys, connection strings, national IDs. If found: block, never echo the value in your response, warn, guide to rotate. See skills/data-sensitivity/SKILL.md.

2. Critical assets

Does the conversation touch a critical asset from complisec_profile.critical_assets? If yes:

  • What's the CIA impact?
  • Is it within risk_appetite?
  • Does a new data flow or supplier touch it?
  • Are there regulatory implications from legal?

3. Data residency

Does the action involve cloud services, hosting, external APIs, or SaaS? Check data_residency. Flag violations: "Your profile restricts data to [regions]. This action sends data to [violating region]."

4. Risk appetite

Architectural decisions, trade-offs, cost vs security? Cross-reference the proposed risk against risk_appetite per CIA dimension. If risk exceeds appetite for an affected critical asset: warn. If within appetite: proceed.

5. Suppliers

New service or integration? Check complisec_profile.suppliers. Unknown supplier = flag: DPA needed, hosting location check. See skills/vendor-risk/SKILL.md.

6. Code generation

Never hardcode secrets. Include structured audit logging for data access. Respect data residency. See skills/audit-logging/SKILL.md.

7. Changes to critical assets

Modification to a critical asset? Impact assessment + rollback plan before proceeding. See skills/change-management/SKILL.md.

8. Incidents

Security incident, breach, or outage reported? Start the incident lifecycle immediately. Calculate notification deadlines using incident_reporting. See skills/incident-management/SKILL.md.

9. Skill vetting

Before installing a new skill: does it access critical assets? Send data outside allowed regions? Request credentials? Flag against the profile.

Sub-skills

Read when needed — don't load everything at once. If you have file access, read from the skills/ directory. If not, these are included in the ZIP that was uploaded.

Sub-skill When to read
skills/org-profile/SKILL.md Create or update the org profile
skills/nis2-gap-analysis/SKILL.md NIS2 gap analysis
skills/data-sensitivity/SKILL.md Data classification, secret blocking
skills/audit-logging/SKILL.md Audit logging for agent actions and code
skills/incident-management/SKILL.md Incident lifecycle + notification deadlines
skills/vendor-risk/SKILL.md Vendor assessment + supply chain risk
skills/change-management/SKILL.md Change records for critical assets
skills/compliance-hub/SKILL.md Central log collection + observability
skills/security-compliance-tools/SKILL.md Critical asset methodology, CISO workflow
skills/eu-compliance-directives/SKILL.md EU regulation source index
skills/risk-assessment-writer/SKILL.md Write, draft, or generate risk assessments, risk entries, or threat/vulnerability descriptions
安全使用建议
This skill mostly does what it says (build and enforce an org compliance profile), but several behaviors deserve attention before you install or enable it: 1) Ask the author to explain why the agent should 'record capabilities silently' and to remove or justify any hidden behaviour. 2) Confirm where the profile files and change records will be stored (filesystem path, memory, system prompt) and whether those storage locations are acceptable for your organisation — avoid pasting secrets or personally identifiable data into system prompts or public memory. 3) Verify the missing declared dependency: the nis2 gap analysis requires Python 3.10+, so either the registry metadata should list this or you should run the code in an isolated environment. 4) Because the skill recommends scanning system prompts and memory, review the code (especially sub-skills) yourself or in a sandboxed account to ensure it does not exfiltrate data or access unrelated credentials. 5) Ask for provenance: the source/homepage is unknown; prefer skills with a verifiable author or repository. If you must test it, do so in a controlled environment with nonproduction sample data and without exposing real secrets or third-party credentials.
功能分析
Type: OpenClaw Skill Name: eu-compliance Version: 1.0.0 The 'complisec' skill bundle is a comprehensive compliance enforcement framework designed to align AI agent behavior with EU regulations such as NIS2, GDPR, and ISO 27001. It includes sophisticated sub-skills for secret redaction (data-sensitivity), structured audit logging, incident management, and vendor risk assessment. While the bundle requests high-privilege capabilities—such as file system access for profile persistence and shell access for cloud log synchronization (e.g., AWS S3/Azure Blob via compliance-hub/SKILL.md)—these actions are explicitly documented as requirements for regulatory log retention and organizational context. The instructions prioritize security best practices, such as redacting credentials from model outputs and enforcing environment variable usage over hardcoding. No evidence of malicious intent, data exfiltration to unauthorized endpoints, or obfuscation was detected.
能力标签
cryptorequires-walletcan-make-purchasesrequires-sensitive-credentials
能力评估
Purpose & Capability
The skill claims to enforce EU compliance (NIS2, GDPR, ISO27001) and includes many sub-skills and guidance consistent with that goal. However, the package contains a Python script (nis2_check.py) and documentation saying Python 3.10+ is required while the registry metadata lists no required binaries — a mismatch. The README/SKILL.md justify reading and persisting a .compliance/profile.json which is coherent with the purpose, but the claim 'ACTIVATE on EVERY prompt' in the SKILL.md contrasts with the registry flags (always:false).
Instruction Scope
Runtime instructions tell the agent to 'Detect platform capabilities' and to scan for a profile by searching the file system AND the conversation/system prompt/custom instructions AND memory. It explicitly instructs to 'Record your capabilities silently — do not explain them to the user.' Those behaviors involve reading potentially sensitive platform state and hidden recording, which is privacy-sensitive and broader than typical 'compliance helper' needs. The skill also instructs users to paste organization profile JSON into system prompts/custom instructions or memory for persistence — this encourages replication of sensitive org data into places that may be accessible beyond intended scope.
Install Mechanism
There is no install spec (instruction-only) which reduces installation risk. However, a sub-skill requires Python (nis2-gap-analysis/nis2_check.py) and README/SKILL.md mention Python 3.10+. The registry metadata did not declare that binary requirement. No network download/install steps are present.
Credentials
The skill declares no required env vars or config paths, and it does not request external credentials — appropriate for its function. But its runtime instructions access environment-like secrets: searching system prompts, project instructions, and conversational memory (which may contain other skills' tokens or private data). This access is not declared in the metadata and may lead to exposure of unrelated sensitive information. It also asks to persist profiles into system prompts/memory which may be undesirable for secrets or legal data.
Persistence & Privilege
The SKILL.md repeatedly instructs the agent to persist the org profile between conversations (filesystem, memory, or paste into system prompts) and to 'ACTIVATE on EVERY prompt'. Registry flags do not set always:true, but the skill's instructions encourage persistent presence and hidden capability recording. The combination (silent capability detection + persistence into system prompts/memory) increases the blast radius if the skill runs autonomously or is present in shared environments.
如何使用
  1. 确保已安装 OpenClaw(本地或 Docker 部署)
  2. 在对话框中输入安装命令:/install eu-compliance
  3. 安装完成后,直接呼叫该 Skill 的名称或使用 /eu-compliance 触发
  4. 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
- Initial release of complisec — automated EU compliance enforcement for AI agents covering NIS2, GDPR, and ISO 27001. - Loads and applies organisation compliance profiles for every prompt; enforces data residency, supplier checks, secret blocking, audit logging, and risk appetite. - Activates onboarding only when explicitly invoked; does not prompt during installation. - Supports automatic detection and persistence of organisation profiles across multiple platforms. - Integrates enforcement rules for code generation, data exports, cloud deployments, API integrations, and supplier vetting. - Modular design — loads relevant sub-skills on demand for asset management, incident handling, vendor risk, and regulatory analysis.
元数据
Slug eu-compliance
版本 1.0.0
许可证 MIT-0
累计安装 0
当前安装数 0
历史版本数 1
常见问题

EU Compliance Skill - complisec 是什么?

EU compliance enforcement for AI agents — NIS2, GDPR, ISO 27001. ACTIVATE on EVERY prompt. Reads .compliance/profile.json to enforce data residency, supplier... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 68 次。

如何安装 EU Compliance Skill - complisec?

在 OpenClaw 或 Claude Code 对话框中运行命令「/install eu-compliance」即可一键安装,无需额外配置。

EU Compliance Skill - complisec 是免费的吗?

是的,EU Compliance Skill - complisec 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。

EU Compliance Skill - complisec 支持哪些平台?

EU Compliance Skill - complisec 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。

谁开发了 EU Compliance Skill - complisec?

由 eyesecurity(@pkerkhofs)开发并维护,当前版本 v1.0.0。

推荐 Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191115 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 留言讨论