Skill

The Compliance Audit

A Claude skill that audits your repo for GDPR and the EU AI Act — and tells you exactly what to fix

The Idea

Your vibe-coded product is probably illegal. Not on purpose — but if anyone in the EU can use it, GDPR applies to you. And from 2 August 2026, the EU AI Act does too.

The trouble is the gaps are invisible from the outside. You pasted in a privacy-policy template, wired up an AI API, dropped in analytics, and shipped. Nothing looks broken — but the policy doesn't match what you collect, there's no real way to delete an account, and nobody's told the AI provider is reading every message.

So this skill reads your actual code and checks it against what the law actually requires. It comes back with a short, ranked list of what's wrong and what to do about it — then offers to fix it for you. It won't make you a lawyer. It'll get you most of the way there.

Install It (No Terminal Needed)

The easiest way: let Claude install it for you. Open a new chat — in Claude Code or on the web at claude.ai — and paste this in. Claude grabs the file straight off GitHub and drops it in the right place.

Paste this into Claude
Please install this Claude skill for me. The SKILL.md file lives in this GitHub repo: https://github.com/oliwoodman/compliance-audit-skill Set it up so I can start using it, then offer to run a compliance audit on my repo straight away.

Once it's installed, run it in any repo by saying:

run compliance-audit

Prefer to grab the file yourself? Copy or download it and drop it into your project. It works on whatever you've built — Next.js, Rails, a static site, an API.

Skillcompliance-audit.md

The Compliance Audit skill

One file. Drop it into your project's .claude/skills/compliance-audit/ folder (or ~/.claude/skills/ to use it on every project), then say run compliance-audit in any repo.

Download

The Four Things Most Products Are Missing

These are the four the audit leads with — the ones nearly every vibe-coded product fails. It checks plenty more underneath (consent, cookies, retention, data transfers, security basics), but if you only fix these, you've closed most of your exposure.

1

A privacy policy that matches what you actually collect

Not the template you pasted in

It reads your forms, database schema and API routes to see what you really collect — then diffs that against your policy. A template that says "name and email" while you store phone numbers, uploads and chat history is a transparency failure.

2

A real way for users to delete their data

"I'd do it manually" doesn't count

The right to erasure means a user-triggered way to actually remove their data. The audit looks for a real deletion path in your code — a route, a setting, a handler. If there isn't one, that's a finding.

3

Whether you're telling users they're talking to an AI

From 2 August, that's the law

If you've got a chatbot or AI-generated content, the EU AI Act says you have to tell people. It detects your AI features, then checks whether the interface actually discloses them.

4

Whether you've named every third party that touches their data

Your AI provider sees every message

It enumerates every processor from your dependencies and API keys — AI, analytics, email, payments, hosting — and checks each one is named in your policy. Your AI provider processes every message your users send. They should know.

How It Works

1

Reads your repo, not a template

Forms, API routes, dependencies, env vars, database schema, policy pages. It works out what your product actually does with personal data — and who it sends it to — from the code itself.

2

Checks it against GDPR and the EU AI Act

What you collect versus what the law requires. Privacy notice, consent, deletion, cookies, third-party disclosure, AI transparency, data transfers — the gaps most vibe-coded products ship with.

3

Ranks what it finds

Critical, medium, low — ordered by legal risk, not by how easy it is to fix. Every finding names what's wrong, where in your code it is, the law behind it, and the fix.

4

Offers to fix it

Say the word and it generates a privacy policy that matches your real data, scaffolds a delete-my-account flow, adds an AI-disclosure notice, or gates your cookies behind consent. The value's in the doing.

Run It If

  • You shipped a product and pasted in a privacy policy template.
  • Anyone in the EU or UK can sign up — so GDPR already applies to you.
  • You wired up an AI API and never added a notice that it's AI.
  • You've got Google Analytics or a Meta Pixel firing with no consent banner.
  • You genuinely don't know which third parties end up with your users' data.

One honest caveat

This is indicative guidance, not legal advice. It's an automated read of your code, not a lawyer — and it doesn't replace one for anything high-stakes. What it does is catch the obvious, expensive gaps fast, so the conversation you eventually have with a professional is a much shorter one.

Find out what you're missing.

Drop the skill into your project and run it. Five minutes later you'll have a ranked list of exactly what to fix — and an offer to fix it.

View the skill on GitHub →

Inspired by Flagged, a compliance scanner for UK and EU websites. This is the skill version — packaged to run inside Claude, right where you build.