Gdpr Data Export Tool
PassAudited by ClawScan on May 4, 2026.
Overview
This instruction-only skill is coherent for GDPR data-export design, but it deals with sensitive personal data and third-party vendor access, so it should be used with privacy controls.
Use this skill only if you are authorized to design or operate DSAR/privacy-export workflows. Prefer sanitized schemas and vendor lists, avoid pasting raw personal data unless your organization allows it, use least-privilege credentials for vendors, verify subject identity before exporting, and make sure generated export packages, signed URLs, and audit logs have strict access controls and retention limits.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If users paste real production data, schemas, or identifiers into the agent, sensitive personal-data handling details could be exposed outside the intended privacy team workflow.
The skill asks the user to map all systems that hold subject data. That is appropriate for GDPR export design, but it may place sensitive system and personal-data context into the agent conversation or generated worksheets.
Data stores — every database, search index, object store, log store, analytics store, and SaaS holding subject data
Use sanitized schemas where possible, avoid pasting raw personal data unless approved, and keep generated inventories and exports in approved secure locations.
Incorrectly scoped vendor access or use by an unauthorized person could expose customer records or business account data.
Fetching subject data from SaaS sub-processors can require delegated access to third-party systems and customer/account data. This is expected for a DSAR pipeline, but it is privileged activity.
Wire vendor coordination: per-DPA endpoints to fetch subject data (Stripe, Intercom, Segment, etc.)
Use least-privilege vendor credentials, confirm controller/processor authority before fetching data, and document each vendor request in the audit log.
A flawed pipeline could send incomplete data, the wrong subject’s data, or third-party data in an export package.
The workflow aggregates data across systems into packaged exports. A mistake in identity matching, shared-record minimization, or delivery configuration could propagate into the final export, although the skill also includes safeguards such as authentication and shared-data handling.
Design the export pipeline (worker + queue + storage); choose JSON/CSV/HTML packaging
Test with internal subjects before launch, require human review for edge cases, validate identity matching across stores, and enforce expiry and access controls on export links.