Eu Ai Compliance
AdvisoryAudited by VirusTotal on Mar 21, 2026.
Overview
Type: OpenClaw Skill Name: eu-ai-compliance Version: 1.0.0 The skill bundle provides a documentation-based interface for an external EU AI Act compliance service hosted at soul.sputnikx.xyz. It contains no executable code, requests no environment variables or sensitive permissions, and lacks any indicators of data exfiltration, persistence, or malicious prompt injection. The behavior is entirely consistent with its stated purpose of providing risk classification and compliance reporting.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Confidential AI system details could be transmitted to the external service when using the classification endpoint.
The documented workflow sends AI system descriptions to a third-party web endpoint, and the artifact does not describe privacy, retention, or data-boundary terms.
curl "https://soul.sputnikx.xyz/soul/compliance/risk-classification?description=facial+recognition+for+hiring"
Use non-sensitive summaries unless you trust the provider and have reviewed its privacy and retention terms.
Calling the paid endpoints could result in charges if used through a payment-capable setup.
The skill documents paid external API calls. The prices are disclosed, but the artifact does not define an explicit user-approval gate for paid requests.
Self-Assessment ($1.00 x402 USDC) ... Full Compliance Report ($2.00 x402 USDC)
Confirm the domain, price, and user approval before invoking any paid endpoint.
Compliance data submitted to the service may become part of persistent provider-side logs or monitoring workflows.
The service advertises persistent logging and runtime monitoring, which is aligned with compliance logging but may retain submitted compliance information.
- Hash-chain logging (SHA-256, append-only) - Runtime monitoring (not one-time reports)
Check what data is logged, how long it is retained, and whether deletion or export controls exist before sending sensitive material.