ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Nex Gdpr

v1.0.0

GDPR and AVG (Belgian data protection law) compliance handler for agency operators, data controllers, and organizations managing data subject requests. Regis...

1· 52·0 current·0 all-time
byNex AI@nexaiguy
Security Scan
Capability signals
CryptoCan make purchases
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Pending
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The skill's name, description, and commands align with the code: it scans sessions, logs, memory and certain SQLite DBs and provides request management, exports, and deletion. However metadata/SKILL.md mark it as 'instruction-only' while the bundle contains executable code and a setup.sh that will install files and create a local DB/executables. Also requires.env lists NEX_GDPR_SCAN_PATHS but the included Python code does not appear to read that variable (SESSION_DIRS reads OPENCLAW_SESSIONS). These mismatches reduce confidence that the declared requirements fully reflect what will be installed/run.
Instruction Scope
Runtime instructions and the code explicitly direct the agent to read wide-ranging local data: OpenClaw session folders, agent memory (~/.nex-memory), application logs (~/.nex-logs), user upload directories (~/.nex-uploads), and other skills' SQLite DB files (e.g., ~/.life-logger, ~/.nex-inbox, ~/.nex-notes). That is coherent for a GDPR tool but represents broad access to potentially unrelated user data. The README/SKILL.md also instructs running setup.sh which will create a venv, database files, and a CLI wrapper—so the skill will persist data locally and perform file I/O beyond ephemeral instructions.
!
Install Mechanism
There is no formal install spec in registry metadata, but the package includes setup.sh and multiple Python modules (nex-gdpr.py, lib/*). setup.sh is advertised in README and SKILL.md; running it will write to the user's home directory (~/.nex-gdpr) and place an executable under ~/.local/bin. The lack of an explicit registry install spec combined with an executable install script is a risk to verify (review setup.sh before running).
!
Credentials
Declared required env vars are OPENCLAW_SESSIONS and NEX_GDPR_SCAN_PATHS. The code reads OPENCLAW_SESSIONS (used in SESSION_DIRS) but I could not find code that parses NEX_GDPR_SCAN_PATHS; README references it. The scanner accesses many hard-coded home-directory locations and other skills' DB files, which is consistent with its purpose but broad. No cloud or unrelated secret env vars are requested, which is good, but the unused declared env var and broad default scan targets are inconsistencies to clarify.
Persistence & Privilege
The skill is not always-enabled and is user-invocable. It creates a persistent local data directory (~/.nex-gdpr), an SQLite database, export and audit directories, and may create a CLI wrapper in ~/.local/bin when setup.sh is run — all reasonable for a local GDPR tool. It does not request elevated OS-level privileges or modify other skills' configurations.
What to consider before installing
This package is a local GDPR utility that will scan many files under your home directory and create a persistent database and export files in ~/.nex-gdpr. Before installing or running it: 1) Review setup.sh to see exactly what it installs and where; run it only in a controlled environment or container if you are unsure. 2) Confirm which environment variables are actually used: OPENCLAW_SESSIONS is read by the code, but NEX_GDPR_SCAN_PATHS is declared in the metadata and README yet not obviously consumed by the Python code — ask the author or inspect code if you need custom scan paths. 3) Be aware the scanner will read other skills' SQLite DBs and agent memory files; if you don't want that breadth, restrict configured scan paths or run the tool under a dedicated service account. 4) The code advertises secure 3-pass deletion but the delete-path logic contains comments about demo behavior and the safe delete function does not always use the overwriting routine — test deletion semantics in a safe environment and back up audit logs before trusting erasure. 5) If you will handle real data subject requests, validate audit and encryption behaviors (export encryption is noted as a recommendation, not enforced). If any of the above are unacceptable, do not run setup.sh or run the tool only in isolation until you can validate and/or harden it.

Like a lobster shell, security has layers — review code before you run it.

Runtime requirements

🛡 Clawdis
Binspython3
EnvOPENCLAW_SESSIONS, NEX_GDPR_SCAN_PATHS
latestvk97ek8qjj767ccb9kxstbvcz51849mat
52downloads
1stars
1versions
Updated 2w ago
v1.0.0
MIT-0
Nex AI@nexaiguy
latest
Download

Nex GDPR

GDPR Data Request Handler for agency operators running OpenClaw for clients. Automate compliance with data subject rights (Articles 15-21 of GDPR/AVG). Register requests, scan for personal data, process erasure/access/portability, generate response letters, and maintain audit trails.

When to Use

Use this skill when you need to:

  • Register and manage GDPR data subject requests (inzageverzoek, verwijderverzoek, etc.)
  • Process Right to Access requests (Article 15 - inzagerecht): Locate all personal data and compile export packages
  • Process Right to Erasure requests (Article 17 - verwijderrecht): Identify and securely delete personal data
  • Process Right to Data Portability requests (Article 20 - recht op gegevensoverdracht): Export in machine-readable format
  • Process Right to Rectification requests (Article 16 - recht op correctie): Track and apply corrections
  • Track Right to Restriction of Processing (Article 18 - recht op beperking)
  • Handle Right to Object (Article 21 - recht van verzet)
  • Scan for personal data across OpenClaw sessions, logs, and databases
  • Generate compliance response letters in Dutch and English
  • Maintain audit trails for every action taken
  • Monitor compliance deadlines (30-day GDPR response deadline)
  • Manage data retention policies and auto-cleanup
  • Export compliance reports for documentation

Trigger phrases: "GDPR request", "data subject request", "inzageverzoek", "verwijderverzoek", "right to access", "right to erasure", "data portability", "personal data", "PII", "AVG", "persoonsgegevens", "erasure request", "portability request", "how many GDPR requests", "overdue requests", "audit trail", "compliance documentation"

Example use cases:

  • "Register a new GDPR access request for jan@example.be"
  • "Scan for all data related to jan@example.be"
  • "Process the access request for request #42"
  • "Which GDPR requests are overdue?"
  • "Generate a response letter for the Jan Peeters request"
  • "Show the audit trail for request #42"
  • "Export compliance report for request #42"
  • "Show GDPR statistics and compliance status"

Quick Setup

If the database does not exist yet, run the setup script:

bash setup.sh

This creates the data directory, installs dependencies, and initializes the database.

Available Commands

Request Management

Register a new request:

nex-gdpr new --type access --name "Jan Peeters" --email "jan@example.be" --id "user_jan_123"

Request types: ACCESS, ERASURE, PORTABILITY, RECTIFICATION, RESTRICTION, OBJECTION

List all requests:

nex-gdpr list
nex-gdpr list --status VERIFIED
nex-gdpr list --type ERASURE

Show request details:

nex-gdpr show 42

Shows request status, deadline, findings, and audit trail.

Data Discovery & Scanning

Scan for user data:

nex-gdpr scan "jan@example.be"
nex-gdpr scan --request 42

Scans OpenClaw sessions, agent memory, logs, and databases for personal data.

Show findings for a request:

nex-gdpr findings 42

Request Processing

Process a request:

nex-gdpr process 42

Automatically:

  • Scans for all user data
  • For ACCESS: Creates export ZIP package
  • For ERASURE: Securely deletes personal data (with logging)
  • For PORTABILITY: Exports machine-readable JSON format
  • Marks request as COMPLETED

Verify request identity:

nex-gdpr verify 42 --method "email confirmation"

Deny a request:

nex-gdpr deny 42 --reason "Identity could not be verified"

Complete a request:

nex-gdpr complete 42

Compliance & Monitoring

Show overdue requests:

nex-gdpr overdue

Highlights requests past the 30-day GDPR response deadline.

Generate response letter:

nex-gdpr letter 42

Outputs formal response letter in Dutch and English (Article 15-21 compliant).

Export compliance report:

nex-gdpr export 42

Exports complete request report (JSON) with findings and audit trail.

Show audit trail:

nex-gdpr audit 42

Displays all actions taken on the request (verification, processing, approvals).

Show GDPR statistics:

nex-gdpr stats

Displays request counts by status/type, overdue requests, PII findings, and data volumes.

Data Retention

Show retention policies:

nex-gdpr retention show

Set retention policy:

nex-gdpr retention set --type sessions --days 180 --auto-delete

Run cleanup:

nex-gdpr cleanup --dry-run
nex-gdpr cleanup --execute

Architecture

Storage

  • SQLite Database at ~/.nex-gdpr/gdpr.db
  • Tables: requests, data_findings, audit_trail, retention_policies
  • Indexes on status, type, deadline for fast queries

Data Scanning

  • OpenClaw Sessions: Scans .openclaw/sessions and .claw/sessions
  • Agent Memory: Scans .nex-memory directory
  • Logs: Scans .nex-logs for user references
  • Other Databases: Scans other nex-* skill databases
  • PII Detection: Email, phone, national numbers, VAT numbers

Request Processing

  • ACCESS: Creates ZIP export of all found data
  • ERASURE: Securely deletes files (3-pass overwrite)
  • PORTABILITY: Exports JSON format with metadata
  • RECTIFICATION: Tracks corrections to personal data
  • All actions logged with timestamps and actor information

Compliance

  • 30-day Response Deadline: Automatically calculated from GDPR Article 12
  • 60-day Extension: For complex requests (logged and tracked)
  • Audit Trail: Every action recorded (scanning, verification, processing, completion)
  • Response Letters: Generated in Dutch (AVG) and English (GDPR)
  • Retention Policies: Configurable per data type (default 1 year, audit 7 years)

Data Locations Scanned

The scanner searches the following locations for personal data:

  • ~/.openclaw/sessions - OpenClaw session files
  • ~/.claw/sessions - Alternative Claw sessions
  • ~/.nex-memory - Agent memory files
  • ~/.nex-logs - Application logs
  • ~/.nex-uploads - Uploaded files
  • Other nex-* skill databases (life-logger, inbox, notes, etc.)

Configurable via environment variables:

export OPENCLAW_SESSIONS="/custom/sessions/path"
export NEX_GDPR_SCAN_PATHS="/path1:/path2:/path3"

GDPR Articles Supported

  • Article 15: Right of access by the data subject
  • Article 16: Right to rectification
  • Article 17: Right to erasure (right to be forgotten)
  • Article 18: Right to restrict processing
  • Article 20: Right to data portability
  • Article 21: Right to object

Privacy & Security

  • All personal data exports are encrypted and stored in ~/.nex-gdpr/exports/
  • Erasure operations use secure deletion (3-pass overwrite)
  • Audit trail cannot be modified (append-only)
  • All operations require explicit status changes
  • No automatic external sharing (all data stays local)

Configuration

Configuration is stored in lib/config.py:

  • DATA_DIR: ~/.nex-gdpr (customizable)
  • RESPONSE_DEADLINE_DAYS: 30 (GDPR requirement)
  • EXTENSION_DAYS: 60 (for complex requests)
  • DEFAULT_RETENTION_DAYS: 365 (1 year default)

Exit Codes

  • 0: Success
  • 1: Error or validation failure

Notes

  • Designed for agency operators managing multiple clients under GDPR
  • All timestamps are ISO 8601 format with timezone
  • Data findings include PII detection (email, phone, national numbers)
  • Retention cleanup is manual (scheduled via cron or trigger command)
  • Export packages are ZIP files with manifest and data files
  • Responses are compliant with Belgian GDPR (AVG) regulations

Support

For issues or questions:

Comments

Loading comments...