Privacy Compliance Assistant
v1.0.0Generate a detailed Privacy Impact Assessment and DPO report by describing your company, data types, processing purposes, systems, and sharing partners for G...
⭐ 0· 179·0 current·0 all-time
byToolWeb@krishnakumarmahadevan-cmd
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill claims to generate PIA/DPO reports and its parameters and example outputs are consistent with that purpose. However, the SKILL.md documents an external API endpoint that requires an API key for authentication even though the skill metadata declares no required credentials or primaryEnv — an inconsistency between declared requirements and actual runtime needs.
Instruction Scope
Runtime instructions require the agent to send complete organization descriptions and lists of data types/systems/third parties to an external API (portal.toolweb.in). Sending PII and internal processing details to a third-party endpoint is expected for this functionality but introduces privacy and exfiltration risk; the SKILL.md does not advise using synthetic data for testing or limit what can be sent.
Install Mechanism
This is an instruction-only skill with no install spec and no code files, so nothing is written to disk by the skill itself. That minimizes supply-chain risk.
Credentials
Although the metadata lists no required environment variables or credentials, the SKILL.md states the API uses an X-API-Key header or an mcp_api_key argument. The skill should have declared a primary credential or required env var; omission is an incoherence and could lead to ad-hoc credential handling by the agent (risky).
Persistence & Privilege
The skill is not marked always:true and is user-invocable only; autonomous invocation remains allowed (the platform default). The skill does not request persistent system-level privileges or write other skills' configs.
What to consider before installing
Before installing or using this skill: (1) Confirm the API owner and trustworthiness of portal.toolweb.in — ask for a privacy/DPA and read terms; (2) Recognize that using the skill will send organization descriptions and potentially PII to an external service — do not submit real personal data or sensitive details during testing; use synthetic/anonymized data; (3) Require the skill author to declare the credential (X-API-Key / mcp_api_key) in the metadata so the agent can handle secrets explicitly and safely; (4) Verify TLS and endpoint integrity (HTTPS, valid cert) and ask whether data is stored, for how long, and whether they support a DPA; (5) Consider self-hosted or local alternatives if you need to keep PII on-prem; (6) If you proceed, use a scoped API key you can revoke, and monitor usage and logs for unexpected transmissions.Like a lobster shell, security has layers — review code before you run it.
latest
Privacy Compliance Assistant
Generate a Privacy Impact Assessment (PIA) and Data Protection Officer (DPO) advisory report for your organization. Describe your company type, the personal data you process, your processing purpose, systems in use, and data sharing relationships — get back a comprehensive privacy compliance report aligned to GDPR, CCPA, and global privacy regulations.
Usage
{
"tool": "privacy_compliance_assistant",
"input": {
"company_type": "SaaS Platform",
"data_types": ["Name", "Email Address", "IP Address", "Payment Information", "Usage Analytics"],
"processing_purpose": "Providing subscription-based project management software to business customers and processing payments",
"systems_used": ["AWS RDS", "Stripe", "HubSpot CRM", "Google Analytics", "Intercom"],
"data_shared_with": ["Stripe (payment processing)", "HubSpot (CRM/marketing)", "AWS (infrastructure)", "Intercom (customer support)"]
}
}
Parameters
All fields are required.
| Field | Type | Description |
|---|---|---|
company_type | string | Type of organization. Examples: SaaS Platform, E-commerce, Healthcare Provider, Financial Services, HR Tech, EdTech, Marketplace, Enterprise Software |
data_types | array | Types of personal data collected/processed. Examples: Name, Email Address, Phone Number, IP Address, Payment Information, Health Records, Biometric Data, Location Data, Cookies, Usage Analytics, Government ID |
processing_purpose | string | Clear description of why personal data is collected and how it is used |
systems_used | array | Technology systems, platforms, and tools used to store or process personal data. Examples: AWS RDS, Salesforce, Stripe, Google Analytics, Okta, Snowflake, Mailchimp |
data_shared_with | array | Third parties with whom personal data is shared, including purpose. Examples: Stripe (payment processing), Google Analytics (web analytics), AWS (infrastructure hosting) |
What You Get
- Privacy Impact Assessment (PIA) — structured assessment of privacy risks across the data lifecycle
- Data Processing Register entry — Article 30 GDPR-compliant record of processing activities (ROPA)
- Legal basis analysis — recommended lawful basis for each processing activity (consent, legitimate interest, contract, legal obligation)
- Data subject rights checklist — how to fulfill access, erasure, portability, and objection requests
- Third-party risk summary — privacy risk assessment for each data sharing relationship
- Retention and deletion guidance — recommended data retention periods per data type
- Cross-border transfer analysis — flags if data transfers outside EEA/adequate countries require SCCs or BCRs
- Remediation recommendations — prioritized actions to close privacy compliance gaps
Example Output
{
"company_type": "SaaS Platform",
"pia_risk_rating": "Medium",
"gdpr_applicable": true,
"ccpa_applicable": true,
"processing_activities": [
{
"purpose": "Payment processing",
"data_types": ["Name", "Payment Information"],
"legal_basis": "Contract (Article 6(1)(b))",
"retention_period": "7 years (financial regulation)",
"cross_border_transfer": false
},
{
"purpose": "Usage analytics",
"data_types": ["IP Address", "Usage Analytics"],
"legal_basis": "Legitimate Interest (Article 6(1)(f))",
"retention_period": "26 months",
"cross_border_transfer": true,
"transfer_mechanism": "Standard Contractual Clauses (SCCs)"
}
],
"third_party_risks": [
{
"vendor": "Google Analytics",
"risk": "High — US-based transfer, requires SCCs and consent banner",
"action": "Implement cookie consent and execute DPA with Google"
}
],
"data_subject_rights": {
"access": "Implement self-service data export in account settings",
"erasure": "Build account deletion workflow with cascade delete",
"portability": "Provide JSON/CSV export of user data",
"objection": "Allow opt-out of analytics tracking"
},
"top_gaps": [
"No Data Processing Agreement (DPA) executed with Google Analytics",
"No cookie consent mechanism for analytics tracking",
"Privacy policy does not document all third-party data sharing",
"No formal data retention and deletion schedule"
],
"immediate_actions": [
"Execute DPAs with all data processors (Stripe, HubSpot, Intercom, AWS)",
"Deploy cookie consent banner covering analytics and marketing cookies",
"Update privacy policy to include complete ROPA disclosures"
]
}
API Reference
Base URL: https://portal.toolweb.in/apis/compliance/privacy-assistant
| Endpoint | Method | Description |
|---|---|---|
/generate-dpo | POST | Generate Privacy Impact Assessment and DPO advisory report |
Authentication: Pass your API key as X-API-Key header or mcp_api_key argument via MCP.
Pricing
| Plan | Daily Limit | Monthly Limit | Price |
|---|---|---|---|
| Free | 5 / day | 50 / month | $0 |
| Developer | 20 / day | 500 / month | $39 |
| Professional | 200 / day | 5,000 / month | $99 |
| Enterprise | 100,000 / day | 1,000,000 / month | $299 |
About
ToolWeb.in — 200+ security APIs, CISSP & CISM certified, built for enterprise compliance practitioners.
Platforms: Pay-per-run · API Gateway · MCP Server · OpenClaw · RapidAPI · YouTube
- 🌐 toolweb.in
- 🔌 portal.toolweb.in
- 🤖 hub.toolweb.in (MCP Server)
- 🦞 toolweb.in/openclaw/
- ⚡ rapidapi.com/user/mkrishna477
- 📺 youtube.com/@toolweb-009
Comments
Loading comments...