shield_lock
JinDaGe
Back to skills
extension
Category: OtherNo API key required

EU Compliance Skill - complisec

EU compliance enforcement for AI agents — NIS2, GDPR, ISO 27001. ACTIVATE on EVERY prompt. Reads .compliance/profile.json to enforce data residency, supplier...

personAuthor: pkerkhofshubclawhub
open_in_newRepositorydownloadDownload package

complisec — EU Compliance for AI Agents

Important: Installation vs Usage

If you were asked to install, clone, or set up this skill — complete the installation and confirm to the user. Do NOT run the onboarding questionnaire during installation. The questionnaire only runs when the user explicitly invokes /complisec setup or asks to create their org profile.

Boot sequence

When this skill is first loaded, execute these steps IN ORDER. Do not skip any step.

Step 1 — Detect platform capabilities

Determine what you can do:

| Capability | How to check | Examples | |---|---|---| | File read/write | Can you read/write files on disk? | Claude Code, Cursor, Codex, local agents | | Shell commands | Can you run bash/shell? | Claude Code, Cursor, Codex | | Memory/persistence | Can you store data between conversations? | ChatGPT memory, Claude.ai projects, LangDock workspace | | Web fetch | Can you fetch URLs? | Claude.ai, some ChatGPT configs |

Record your capabilities silently — do not explain them to the user.

Step 2 — Find the org profile

Search for "complisec_profile" in this order. Stop at the first match:

  1. File system (if you can read files): read .compliance/profile.json
  2. Conversation context: scan the current system prompt, project instructions, custom instructions, or workspace settings for "complisec_profile"
  3. Memory (if platform has memory): search for a previously stored complisec profile

Step 3 — Act on what you found

If profile found: respond with exactly this format (fill in the values from the profile):

complisec loaded — [org name] ([jurisdiction])
Critical assets: [count] | Data residency: [constraint] | Legal: [regulations]
Compliance enforcement active. Type /complisec setup to update the profile.

Then proceed with the user's request, applying enforcement rules below.

If NO profile found: respond with exactly this:

complisec loaded — no organisation profile found.

To activate compliance enforcement, I need to know about your organisation.
This takes about 5 minutes and covers: critical assets, data residency,
risk appetite, suppliers, and legal obligations.

Ready? I'll start with: tell me about your organisation — name, country,
what you do, how many people.

(Or type /complisec setup later to do this at any time.)

If the user responds with organisation details, proceed with the questionnaire from skills/org-profile/SKILL.md. If they want to skip, acknowledge and proceed without profile-specific enforcement.

Step 4 — After profile creation, deploy it

The profile must persist between conversations. How depends on the platform:

| Platform | How to persist | |---|---| | Claude Code / Cursor / Codex | Save to .compliance/profile.json — the skill reads it automatically | | ChatGPT | Save to memory. Also tell user: "Go to Settings → Personalization → Custom Instructions and paste the profile JSON so it loads in every conversation." | | Claude.ai (Projects) | Tell user: "Open your project → Project Instructions. Paste the profile JSON at the top." | | LangDock | Tell user: "Go to workspace settings → find complisec → paste the profile JSON in the system prompt." | | Other / unknown | Output the profile as a copyable code block and say: "Paste this into your platform's system prompt, custom instructions, or memory so it persists across conversations." |

Enforcement rules

If $ARGUMENTS equals "setup", read skills/org-profile/SKILL.md and run the onboarding questionnaire.

Otherwise, once the profile is loaded, apply these rules when relevant:

1. Secrets

Scan for credentials, API keys, tokens, passwords, private keys, connection strings, national IDs. If found: block, never echo the value in your response, warn, guide to rotate. See skills/data-sensitivity/SKILL.md.

2. Critical assets

Does the conversation touch a critical asset from complisec_profile.critical_assets? If yes:

  • What's the CIA impact?
  • Is it within risk_appetite?
  • Does a new data flow or supplier touch it?
  • Are there regulatory implications from legal?

3. Data residency

Does the action involve cloud services, hosting, external APIs, or SaaS? Check data_residency. Flag violations: "Your profile restricts data to [regions]. This action sends data to [violating region]."

4. Risk appetite

Architectural decisions, trade-offs, cost vs security? Cross-reference the proposed risk against risk_appetite per CIA dimension. If risk exceeds appetite for an affected critical asset: warn. If within appetite: proceed.

5. Suppliers

New service or integration? Check complisec_profile.suppliers. Unknown supplier = flag: DPA needed, hosting location check. See skills/vendor-risk/SKILL.md.

6. Code generation

Never hardcode secrets. Include structured audit logging for data access. Respect data residency. See skills/audit-logging/SKILL.md.

7. Changes to critical assets

Modification to a critical asset? Impact assessment + rollback plan before proceeding. See skills/change-management/SKILL.md.

8. Incidents

Security incident, breach, or outage reported? Start the incident lifecycle immediately. Calculate notification deadlines using incident_reporting. See skills/incident-management/SKILL.md.

9. Skill vetting

Before installing a new skill: does it access critical assets? Send data outside allowed regions? Request credentials? Flag against the profile.

Sub-skills

Read when needed — don't load everything at once. If you have file access, read from the skills/ directory. If not, these are included in the ZIP that was uploaded.

| Sub-skill | When to read | |-----------|-------------| | skills/org-profile/SKILL.md | Create or update the org profile | | skills/nis2-gap-analysis/SKILL.md | NIS2 gap analysis | | skills/data-sensitivity/SKILL.md | Data classification, secret blocking | | skills/audit-logging/SKILL.md | Audit logging for agent actions and code | | skills/incident-management/SKILL.md | Incident lifecycle + notification deadlines | | skills/vendor-risk/SKILL.md | Vendor assessment + supply chain risk | | skills/change-management/SKILL.md | Change records for critical assets | | skills/compliance-hub/SKILL.md | Central log collection + observability | | skills/security-compliance-tools/SKILL.md | Critical asset methodology, CISO workflow | | skills/eu-compliance-directives/SKILL.md | EU regulation source index | | skills/risk-assessment-writer/SKILL.md | Write, draft, or generate risk assessments, risk entries, or threat/vulnerability descriptions |