Performs regulatory gap analysis across 7 compliance frameworks with a scored report card and prioritized remediation roadmap. Use when assessing a website or application for GDPR, CCPA, ADA, PCI-DSS, CAN-SPAM, COPPA, or SOC 2 compliance. Trigger with "/compliance-audit" or "audit my website for regulatory compliance".
Executes a two-phase compliance analysis — detection scan followed by framework-by-framework evaluation — across 7 regulatory frameworks. Produces a compliance scorecard with letter grades (A-F) per framework, identifies specific gaps, and generates a prioritized remediation roadmap with effort estimates and timelines.
This skill reads and analyzes existing assets. It does not generate legal documents or modify any files. The output is an audit report documenting findings and recommendations.
Legal Disclaimer: This skill generates AI-assisted compliance analysis for informational purposes only. It does not constitute legal advice, certification, or attestation of compliance. Regulatory requirements are complex and jurisdiction-specific. All findings should be reviewed by qualified legal counsel and/or certified compliance professionals. No attorney-client relationship is created by using this tool.
Scan the website. Use WebFetch on the target URL to collect:
Scan the codebase (if available). Use Glob and Grep to find:
Build the detection inventory. Create a structured map of findings:
| Category | Signals Found | Frameworks Triggered |
|---|---|---|
| Data Collection | Forms, cookies, analytics | GDPR, CCPA |
| Payments | Stripe, PayPal, card fields | PCI-DSS |
| Accessibility | Missing alt text, no skip nav | ADA/WCAG |
| Email Marketing | Newsletter signup, email sends | CAN-SPAM |
| User Demographics | Age gates, child-oriented content | COPPA |
| Security Controls | Auth, encryption, logging | SOC 2 |
Evaluate each applicable framework. Score against these criteria:
GDPR (General Data Protection Regulation)
CCPA/CPRA (California Consumer Privacy Act)
ADA/WCAG 2.1 (Accessibility)
PCI-DSS (Payment Card Industry)
CAN-SPAM (Commercial Email)
COPPA (Children's Online Privacy Protection)
SOC 2 (Trust Services Criteria)
Calculate compliance scores. For each framework:
| Grade | Score | Meaning |
|---|---|---|
| A | 90-100% | Substantially compliant |
| B | 75-89% | Minor gaps, low risk |
| C | 60-74% | Moderate gaps, action needed |
| D | 40-59% | Significant gaps, priority remediation |
| F | 0-39% | Non-compliant, immediate action required |
Generate remediation roadmap. For each gap, provide:
Compile the audit report using the output format below.
Generate a single Markdown file named COMPLIANCE-AUDIT-{company}-{YYYY-MM-DD}.md:
# Regulatory Compliance Audit
**{Company Name}** — {URL or codebase path}
**Audit Date:** {date}
**Auditor:** AI Compliance Scan (Legal Assistant Plugin)
**Scope:** {frameworks evaluated}
---
## Executive Summary
{3-5 sentence overview of compliance posture, highest-risk areas, and top recommendation}
## Compliance Scorecard
| Framework | Score | Grade | Status |
|-----------|-------|-------|--------|
| GDPR | {%} | {A-F} | {Compliant / Gaps Found / Non-Compliant} |
| CCPA/CPRA | {%} | {A-F} | {status} |
| ADA/WCAG 2.1 | {%} | {A-F} | {status} |
| PCI-DSS | {%} | {A-F} | {status} |
| CAN-SPAM | {%} | {A-F} | {status} |
| COPPA | {%} | {A-F} | {status} |
| SOC 2 | {%} | {A-F} | {status} |
| **Overall** | **{%}** | **{grade}** | |
## Detection Inventory
{table of all signals detected during Phase 1}
## Detailed Findings
### GDPR
{criteria-by-criteria evaluation with PASS/FAIL/N-A}
### CCPA/CPRA
{criteria-by-criteria evaluation}
{... remaining frameworks ...}
## Remediation Roadmap
### P0 — Immediate (This Week)
| # | Gap | Framework | Action | Effort | Owner |
|---|-----|-----------|--------|--------|-------|
{high-risk items}
### P1 — Short-Term (30 Days)
{moderate-risk items}
### P2 — Medium-Term (90 Days)
{lower-risk items}
### P3 — Long-Term (6 Months)
{enhancement items}
## Risk Exposure Summary
{estimated fine exposure per framework based on published enforcement ranges}
---
**Frameworks Not Applicable:** {list with reason}
**Limitations:** AI scan cannot detect server-side controls, review organizational policies,
or assess physical security. This audit supplements but does not replace professional
compliance assessment.
**Generated by:** Legal Assistant Plugin — Not a substitute for legal counsel.
| Error | Cause | Solution |
|---|---|---|
| Website unreachable | URL down, behind auth, or blocked | Ask for codebase path or manual description of features |
| Framework not applicable | Business does not trigger certain regulations | Mark as N/A with explanation, exclude from overall score |
| Cannot assess server-side | No codebase access, only URL | Note limitation, recommend server-side review separately |
| Mixed signals on COPPA | Cannot determine if audience includes children | Flag for manual review, apply COPPA criteria conservatively |
| Payment processing unclear | Redirects to external checkout | Note processor, limit PCI-DSS scope to integration points |
| Existing policies not found | No privacy policy or ToS published | Score as F for policy-dependent criteria, flag as P0 |
Example 1: E-Commerce Website
Request: "Audit https://example-shop.com for compliance"
Result: COMPLIANCE-AUDIT-ExampleShop-2026-04-02.md with:
Example 2: SaaS Application Codebase
Request: "Run a compliance audit on our codebase at ./src"
Result: COMPLIANCE-AUDIT-SaaSApp-2026-04-02.md with: