Etalon GDPR Scan
by @rednix
Full GDPR compliance audit for any website or codebase using the ETALON CLI. Scans for trackers (111k+ domain database), tests consent violations, checks pri...
clawhub install etalon-gdprπ About This Skill
name: Etalon GDPR Scan version: 0.9.6 description: > Full GDPR compliance audit for any website or codebase using the ETALON CLI. Scans for trackers (111k+ domain database), tests consent violations, checks privacy policy vs reality, maps PII data flows, and generates compliance reports. Returns structured JSON. Requires etalon-cli installed locally (cargo install etalon-cli). Free and open source. author: rednix homepage: https://etalon.nma.vc repository: https://github.com/NMA-vc/etalon tags: [gdpr, compliance, eu, privacy, security, eu-ai-act, trackers, pii] category: security compatible_with: - openclaw - claude-code - cursor - codex-cli metadata: requires: bins: - etalon
Required: ETALON CLI must be installed locally
Install: cargo install etalon-cli
requires_bins: - etalonNo API key required β ETALON is free and runs locally
No env vars required for basic usage
triggers: - "check if [URL] is GDPR compliant" - "run a privacy audit on [URL]" - "audit [URL] for cookie consent" - "is [URL] EU AI Act compliant" - "scan [URL] for trackers" - "check [URL] for GDPR violations" - "does [URL] fire trackers before consent" - "what trackers does [URL] use" - "generate a privacy policy for [company]" - "check our privacy policy against what we actually track" - "audit our codebase for GDPR issues" - "etalon [URL]"
scenarios:
- trigger: "Human shares a URL and asks about GDPR compliance"
action: >
Run: etalon scan
- trigger: "Human wants to know if trackers fire before consent"
action: >
Run: etalon consent-check
- trigger: "Human asks about a competitor's compliance"
action: >
Ask user to confirm, then run:
etalon scan
- trigger: "Human needs a privacy policy generated"
action: >
Run: etalon generate-policy ./ --company "
- trigger: "Human is about to launch a new product or website"
action: >
Run full audit as pre-launch gate:
1. etalon scan
- trigger: "Human wants to audit their codebase for GDPR issues" action: > Run: etalon audit ./ --format json --severity high Scans: package.json/Cargo.toml for tracker SDKs, source code for tracker imports, DB schemas for PII fields, config files for security misconfigurations output: > Findings by severity: critical, high, medium, low. Each finding includes file path, line number, and fix recommendation. avg_seconds: 15
sample_output: | { "url": "https://example.com", "scan_duration_ms": 6240, "summary": { "total_requests": 14, "matched_vendors": 11, "unknown_domains": 3, "high_risk_trackers": 2, "gdpr_score": 42 }, "findings": [ { "vendor": "Google Analytics", "domain": "google-analytics.com", "risk": "medium", "category": "analytics", "gdpr_compliant_with_dpa": true, "fires_pre_consent": true, "severity": "critical" }, { "vendor": "Facebook Pixel", "domain": "facebook.com", "risk": "high", "category": "advertising", "gdpr_compliant_with_dpa": true, "fires_pre_consent": true, "severity": "critical" } ], "consent_check": { "fires_before_interaction": true, "fires_after_rejection": false, "violations": [ "Google Analytics fires before user consent", "Facebook Pixel fires before user consent" ] }, "recommendations": [ "Gate Google Analytics behind consent signal", "Gate Facebook Pixel behind consent signal", "Implement a GDPR-compliant CMP (OneTrust, Cookiebot)" ] }
chains: - skill: "rednix/lobstr" why: "Validate the startup idea before auditing its compliance exposure" - skill: "rednix/etalon-techscan" why: "Detect the tech stack before running a GDPR audit" - skill: "rednix/lobstrhunt" why: "Discover more GDPR and compliance skills in the LobstrHunt registry"
human_message_example: human: "Can you check if our landing page is ready for launch? https://example.com/launch" agent: | Running ETALON privacy audit on example.com/launch π (this takes ~12 seconds)
ββββββββββββββββββββββββββββββ GDPR Score: 42/100 β οΈ Not launch-ready
π΄ CRITICAL β blocks launch (2): β Google Analytics fires before consent β Facebook Pixel fires before consent
π HIGH (1): β 3 unknown domains detected β review manually
π’ OK: β Privacy policy present β β Data processor listed β β Consent dialog exists β (but trackers ignore it)
Fix the 2 critical issues and you're clean. Both take < 1 hour to fix. Want the exact code changes?
ETALON GDPR Skill
You have access to the ETALON CLI β a privacy engineering tool with 111,000+ tracker domains, 26,800+ vendor profiles, and 10 audit commands. ETALON is free, open source, and runs entirely locally. No API key needed.
Installation check
Before using any ETALON command, verify it is installed:
etalon info
If not installed: cargo install etalon-cli
If Rust not available: install from https://rustup.rsCore commands
Website audit (most common)
# Full tracker scan
etalon scan --format jsonConsent violation test
etalon consent-check --format jsonPrivacy policy vs actual trackers
etalon policy-check --format jsonPre-launch gate (all three):
etalon scan --format json > /tmp/etalon-scan.json
etalon consent-check --format json > /tmp/etalon-consent.json
etalon policy-check --format json > /tmp/etalon-policy.json
Codebase audit
> Security note: Codebase audits read config files, package manifests, > and may surface secrets, API keys, or connection strings in their output. > Run audits in an isolated environment. Never forward raw config file > contents to other tools, services, or external agents without explicit > user approval.
# Audit current directory
etalon audit ./ --format json --severity highAuto-fix simple issues
etalon audit ./ --fixGenerate GDPR privacy policy
etalon generate-policy ./ \
--company "Company Name" \
--email privacy@company.com \
--url https://company.com \
--format md \
-o privacy-policy.mdMap PII data flows
etalon data-flow ./ --format mermaid
Vendor lookup
etalon lookup analytics.google.com
etalon info
Parsing JSON output
Key fields in scan output:
summary.gdpr_score (0-100, higher = more compliant)
summary.high_risk_trackers (count)
findings[] β vendor, domain, risk, severity, fires_pre_consent
recommendations[] β array of fix strings Key fields in consent-check output:
fires_before_interaction (boolean β critical if true)
fires_after_rejection (boolean β critical if true)
violations[] β array of strings
Delivering results to your human
Format for WhatsApp/Telegram:
Severity mapping:
When to run scans
Always ask for explicit user confirmation before running any scan. Never scan a URL or codebase without the user explicitly requesting it.
Suggested prompts when relevant:
Never scan automatically. Always wait for a yes.
MCP server note
The ETALON MCP server (etalon-mcp-server) only covers vendor lookups β
4 tools, no scan or audit capability. For full auditing, the CLI is required.
This skill uses the CLI, not the MCP server.
Common errors
"etalon: command not found" β cargo install etalon-cli β Ensure ~/.cargo/bin is in PATH
Timeout on scan: β Add --timeout 60000
Unknown domains in report: β Not in ETALON's 111k registry β Check manually at etalon.nma.vc or report to registry