npm - @raishin/vanguard-frontier-agentic - Versions diffs - 2.0.0 → 2.0.1 - Mend

@raishin/vanguard-frontier-agentic 2.0.0 → 2.0.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (223) hide show

package/skills/marketing/email-sender-authentication-review/references/workflow-and-output.md ADDED Viewed

@@ -0,0 +1,152 @@
+# Workflow and Output Contract
+## Workflow
+### Step 1 — Collect inputs
+Ask the user to provide the following as a sanitized DNS record export (replace real selector names with generic placeholders only if the user prefers; SPF/DKIM/DMARC records are public data but never request ESP credentials or DMARC aggregate XML):
+- SPF TXT record for the root sending domain and all active ESP subdomains
+- DKIM TXT record(s) identified by selector name (e.g., `selector1._domainkey.example.com IN TXT "v=DKIM1; k=rsa; p=..."`)
+- DMARC TXT record at `_dmarc.example.com`
+- BIMI TXT record at `default._bimi.example.com` and VMC/CMC certificate URL if present
+- The list of all active ESP and transactional sending paths (e.g., Mailchimp, Salesforce Marketing Cloud, SendGrid transactional, Postmark) and whether each uses a subdomain or the root domain
+If the user provides only partial records, note which paths are unassessed.
+### Step 2 — SPF audit
+Parse the SPF record from `v=spf1` through the terminating `all` mechanism:
+1. Count every mechanism that requires a DNS lookup: `include:`, `a`, `mx`, `ptr`, `exists`. RFC 7208 mandates a hard limit of ten such lookups; exceeding it produces a permerror treated as an SPF fail by receiving MTAs.
+2. Identify the `all` qualifier: `~all` (softfail), `-all` (hardfail), `+all` (pass all — HIGH), `?all` (neutral).
+3. Identify any mechanisms that are redundant, deprecated (`ptr:`), or that enumerate IP ranges far wider than the actual sending infrastructure.
+```text
+# HIGH — SPF with +all negates all restrictions
+v=spf1 include:esp1.com include:esp2.com +all
+# HIGH — SPF with 13 DNS lookups; permerror on receipt
+v=spf1 include:_spf.google.com include:sendgrid.net include:mail.zendesk.com
+        include:servers.mcsv.net include:spf.mailjet.com include:_spf.salesforce.com
+        include:postmarkapp.com include:emailsig.com include:mktomail.com
+        include:smtp.hubspot.net include:spf1.mailchimp.com include:esp12.com
+        include:sp.example.com ~all
+# (13 include: mechanisms, each resolves to at least one more lookup → permerror)
+# CORRECT — SPF with eight lookups and -all
+v=spf1 include:_spf.google.com include:sendgrid.net include:postmarkapp.com -all
+```
+### Step 3 — DKIM audit
+For each active sending path identified in Step 1:
+- Confirm a DKIM selector exists and the TXT record is present and well-formed (`v=DKIM1`, key type, public key).
+- Confirm the key length is at least 1024 bits; 2048 bits is recommended.
+- Confirm the signing domain (`d=` tag in the DKIM signature) aligns with the `From:` domain at the level required by the DMARC alignment mode (relaxed: organizational domain match; strict: exact domain match).
+- Flag any sending path with no DKIM selector as HIGH.
+- Flag keys shorter than 1024 bits as HIGH (deprecated, breakable).
+- Note whether key rotation documentation was provided; absence is MEDIUM.
+```text
+# HIGH — transactional ESP subdomain has no DKIM selector
+tx.example.com: no DKIM TXT record found for any known selector
+DMARC alignment for mail sent via tx.example.com: fails (no signature to align)
+# CORRECT — selector and key present, 2048-bit key
+selector2._domainkey.example.com IN TXT "v=DKIM1; k=rsa; p=MIIBIjANBgkqh..."
+```
+### Step 4 — DMARC audit
+Parse the DMARC record at `_dmarc.<domain>`:
+- `p=` (policy): `none`, `quarantine`, or `reject`. `none` provides monitoring only; it does not prevent spoofing or satisfy Google/Yahoo bulk-sender enforcement requirements when operating at scale.
+- `pct=` (percentage): defaults to 100; values below 100 mean the policy applies to only that fraction of non-aligning mail.
+- `rua=` (aggregate report URI): absence means no visibility into alignment failures.
+- `ruf=` (forensic report URI): optional but useful for debugging.
+- `aspf=` and `adkim=` (alignment modes): `r` (relaxed, default) or `s` (strict); strict requires an exact domain match between the `From:` header and the SPF/DKIM signing domain.
+- `sp=` (subdomain policy): defaults to the `p=` value if absent; explicit `sp=reject` is recommended when subdomains are not used for sending.
+```text
+# HIGH — p=none with no enforcement path
+_dmarc.example.com IN TXT "v=DMARC1; p=none; rua=mailto:dmarc@example.com"
+→ spoofing is possible; Google/Yahoo bulk-sender requirements not satisfied for enforcement
+# MEDIUM — p=quarantine with pct=10 and no ruf
+_dmarc.example.com IN TXT "v=DMARC1; p=quarantine; pct=10; rua=mailto:dmarc@example.com"
+→ only 10% of failing mail is quarantined; 90% is unaffected
+# CORRECT — p=reject, full enforcement, reporting configured
+_dmarc.example.com IN TXT "v=DMARC1; p=reject; pct=100; rua=mailto:dmarc@example.com; ruf=mailto:forensic@example.com"
+```
+### Step 5 — DMARC alignment verification
+DMARC requires at least one of SPF or DKIM to align with the `From:` header domain:
+- For SPF alignment: the envelope `MAIL FROM` domain must match the `From:` header domain at the configured alignment level.
+- For DKIM alignment: the `d=` tag in the DKIM signature must match the `From:` header domain at the configured level.
+- If neither SPF nor DKIM aligns, DMARC fails regardless of `p=` value — flag as HIGH if structural misalignment is evident from the record set.
+### Step 6 — BIMI and certificate audit
+If a BIMI record is present at `default._bimi.<domain>`:
+- Confirm `v=BIMI1; l=<logo-url>; a=<certificate-url>` syntax.
+- Confirm the certificate URL resolves to a VMC (Verified Mark Certificate) or CMC (Common Mark Certificate).
+- Without a VMC/CMC, BIMI display is ignored by Gmail, Yahoo, and Apple Mail — flag as LOW.
+- If no BIMI record is present, note it as informational (not a deficiency unless the user has a BIMI adoption goal).
+### Step 7 — Bulk-sender compliance assessment
+Assess compliance with Google and Yahoo bulk-sender requirements (enforced Feb 2024 for Google, June 2024 for Yahoo):
+- DMARC record present at organizational domain level: required.
+- SPF or DKIM alignment passing: required.
+- Spam complaint rate below 0.10% (0.08% recommended): not assessable from DNS records alone — note as out-of-scope.
+- One-click unsubscribe (RFC 8058 `List-Unsubscribe-Post` header): not assessable from DNS records — note as out-of-scope.
+Summarize the DNS-assessable compliance gap clearly.
+### Step 8 — Produce the output
+Format findings using the Output format section below.
+---
+## Output format
+```
+## Verdict
+<one sentence: pass / needs work / critical issues found>
+## Evidence level
+<DNS record provided | documentation-based | inference from absent record>
+## Findings
+### CRITICAL
+- [C1] <finding title>: <description> — <remediation>
+### HIGH
+- [H1] <finding title>: <description> — <remediation>
+### MEDIUM
+- [M1] <finding title>: <description> — <remediation>
+### LOW
+- [L1] <finding title>: <description> — <remediation>
+## Safe next actions
+1. <action>
+2. <action>
+## Open questions
+- <question requiring user clarification>
+```
+---
+## Security and scope notes
+- This is a static review. DNS records are public, but never request ESP account credentials, DMARC aggregate report XML containing real email metadata, or sending-platform API keys.
+- A domain at `p=none` is exploitable for spoofing attacks and phishing campaigns impersonating the brand. Surface this risk explicitly; do not understate it as a deliverability issue only.
+- When evidence is partial (e.g., SPF record provided but no DKIM selectors listed), scope each finding to what was provided and state the inference basis explicitly.
+- Do not recommend removing an active ESP's SPF `include:` to solve the lookup-count problem without first confirming DKIM-only alignment is available for that path — removing SPF coverage without DKIM will break DMARC alignment.
+- Key rotation guidance is advisory hygiene; the urgency depends on key age and organizational risk tolerance; surface it as MEDIUM, not blocking.

package/skills/marketing/eu-ai-act-marketing-system-review/SKILL.md ADDED Viewed

@@ -0,0 +1,43 @@
+---
+name: eu-ai-act-marketing-system-review
+description: Use this skill when reviewing a marketing AI system's description card against EU AI Act risk-tier criteria to classify the system (prohibited / high-risk / limited-risk / minimal-risk), flag documentation obligations, and identify deployment-readiness gaps before the August 2, 2026 full-enforcement date. Trigger when a user provides an AI system description card covering system purpose, input data types, output decisions, human-oversight mechanism, deployment geography, and whether it profiles natural persons — or when they ask whether their marketing AI tool, lead-scoring model, content personalization engine, or automated ad-decisioning system requires a conformity assessment or transparency notice under EU AI Act Regulation 2024/1689.
+allowed-tools: Read Grep Glob
+metadata:
+  author: "github: Raishin"
+  version: "0.1.0"
+  updated: "2026-05-17"
+  category: compliance
+  lifecycle: experimental
+---
+# EU AI Act Marketing System Review
+## Purpose
+This skill reviews a marketing AI system's description card against EU AI Act Regulation 2024/1689 risk-tier criteria to classify the system, flag documentation obligations, and identify deployment-readiness gaps before the August 2, 2026 full-enforcement date. Marketing AI systems — lead-quality scorers, content personalization engines, urgency-calibration models, lookalike generators, and automated bidding optimizers — operate at the boundary between Article 5 prohibited practices (subliminal manipulation, exploitation of vulnerabilities), Annex III high-risk systems (AI for access to private services, creditworthiness, and employment when profiling natural persons), and limited-risk systems subject to transparency obligations only. Misclassification is itself a compliance gap: a system internally labeled "low risk" that profiles behavioral and demographic signals for credit or employment routing is Annex III high-risk and requires a conformity assessment. The review ingests the description card, maps system characteristics to the risk taxonomy, flags missing documentation (technical documentation Article 11, conformity assessment Article 43, transparency obligations Article 13/52), and identifies the August 2026 enforcement timeline pressure.
+## Lean operating rules
+- Treat a system that profiles natural persons using behavioral or demographic signals to produce scores, rankings, or routing decisions used in access to credit, insurance, employment, or essential private services as HIGH — this maps to Annex III categories and requires a conformity assessment, CE marking, and registration in the EU AI database before deployment.
+- Treat urgency or scarcity signals calibrated by real-time engagement data with no human review gate as HIGH — this is a candidate for Article 5(1)(b) prohibited subliminal manipulation or exploitation of psychological vulnerabilities; route to qualified legal counsel without making the prohibition determination yourself.
+- Treat a system classified internally as "low risk" but routing decisions to downstream agents or automated processes with no human override capability as HIGH — the absence of a meaningful human-oversight mechanism invalidates a limited-risk designation under Article 14 requirements.
+- Treat a system that processes biometric, health, racial/ethnic-origin, political-opinion, or religious-belief data as input features or inferred labels for marketing segmentation as HIGH — these are special-category data under GDPR Article 9 and trigger heightened AI Act scrutiny as potential Annex III characteristics.
+- Treat the absence of technical documentation (Article 11) covering system purpose, training data provenance, performance metrics, and limitations for any non-minimal-risk system as HIGH — documentation is a prerequisite for conformity assessment, not a post-deployment obligation.
+- Treat a system with no transparency notice or user-facing disclosure of automated decision-making where the EU AI Act or GDPR Article 22 requires one as HIGH — undisclosed profiling that produces legal or similarly significant effects is both a GDPR and an AI Act violation.
+- Flag a system whose August 2026 enforcement readiness is unknown — no documented conformity-assessment timeline, no assigned responsible person, no EU registration planned — as MEDIUM when the system is potentially high-risk.
+- Flag general-purpose AI models integrated into marketing workflows without a documented system-level risk assessment as MEDIUM — the GPAI provisions under Title VIII require providers to assess downstream systemic risk.
+- Flag systems that collect or process behavioral signals at scale (>1 million natural persons) without a documented fundamental rights impact assessment as MEDIUM.
+- Do not classify a system as prohibited under Article 5 without explicit instruction to qualified counsel; surface the risk and route the determination.
+- Label every finding with evidence basis: description card provided, documentation-based, or inference from missing information.
+## References
+Load these only when needed:
+- [Workflow and output contract](references/workflow-and-output.md) — use when executing the full review or formatting the final answer.
+## Response minimum
+Return, at minimum:
+- System risk-tier classification (prohibited / high-risk Annex III / limited-risk / minimal-risk) with rationale
+- Profiling and natural-person assessment (Article 22 GDPR intersection)
+- Human-oversight mechanism assessment (Article 14)
+- Documentation gap inventory (Article 11 technical docs, Article 43 conformity assessment, Article 13/52 transparency)
+- August 2026 enforcement readiness assessment
+- Severity-labelled finding list (critical / high / medium / low)
+- Safe next actions

package/skills/marketing/eu-ai-act-marketing-system-review/metadata.json ADDED Viewed

@@ -0,0 +1,21 @@
+{
+  "id": "eu-ai-act-marketing-system-review",
+  "name": "EU AI Act Marketing System Review",
+  "type": "skill",
+  "provider": "marketing",
+  "harnesses": ["codex", "claude-code", "cursor", "gemini", "kiro", "other"],
+  "summary": "Review a marketing AI system description card against EU AI Act Regulation 2024/1689 risk-tier criteria — classify the system, flag documentation obligations (Articles 11, 13, 14, 43), and identify deployment-readiness gaps before the August 2, 2026 full-enforcement date.",
+  "source_type": "original",
+  "official_docs": [
+    "https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32024R1689",
+    "https://digital-strategy.ec.europa.eu/en/policies/regulatory-framework-ai",
+    "https://www.europarl.europa.eu/topics/en/article/20230601STO93804/eu-ai-act-first-regulation-on-artificial-intelligence",
+    "https://edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-022023-technical-scope-art-22-gdpr_en",
+    "https://artificialintelligenceact.eu/the-act/"
+  ],
+  "security_notes": "EU AI Act classification determines conformity assessment, CE marking, and EU AI database registration obligations — misclassification is itself a compliance gap. Review works from sanitized AI system description cards only; never request model weights, training datasets, internal performance logs, or vendor system-access credentials. Legal determination of Article 5 prohibited practices is routed to qualified counsel.",
+  "last_verified": "2026-05-17",
+  "path": "skills/marketing/eu-ai-act-marketing-system-review",
+  "author": "github: Raishin",
+  "version": "0.1.0"
+}

package/skills/marketing/eu-ai-act-marketing-system-review/references/workflow-and-output.md ADDED Viewed

@@ -0,0 +1,176 @@
+# Workflow and Output Contract
+## Workflow
+### Step 1 — Collect inputs
+Ask the user to provide an AI system description card as a sanitized document (no model weights, no training data, no vendor credentials). The description card should cover:
+- System purpose and primary use case (what decision or output does it produce?)
+- Input data types (behavioral signals, demographic data, purchase history, engagement metrics, etc.)
+- Output type (score, ranking, binary decision, content recommendation, audience segment)
+- Human-oversight mechanism (is there a human review gate before the output is acted upon?)
+- Deployment geography (EU deployment or EU-resident data subjects?)
+- Whether the system profiles natural persons (produces an evaluation of personal aspects)
+- Internal risk classification, if any
+- Whether the system is integrated into a downstream automated decision chain
+If the user provides only a partial description card, note which elements are absent and scope findings accordingly.
+### Step 2 — Determine EU AI Act applicability
+Confirm whether the Act applies:
+- The system is placed on the market in the EU, used in the EU, or its outputs affect EU-resident natural persons.
+- The operator or deployer is subject to EU jurisdiction, or the provider targets the EU market.
+If applicability is uncertain, flag as MEDIUM and recommend a legal-jurisdiction assessment.
+### Step 3 — Article 5 prohibited-practice screening
+Screen the system description for candidate prohibited practices before proceeding to risk-tier classification:
+```text
+# Article 5(1)(a) — Subliminal manipulation
+System uses techniques that influence behavior below the threshold of conscious awareness,
+causing decisions persons would not have made otherwise — e.g., urgency signals calibrated
+to anxiety response patterns without the user's knowledge.
+# Article 5(1)(b) — Exploitation of vulnerabilities
+System exploits specific vulnerabilities of a group (age, disability, social/economic situation)
+to distort behavior in a way that causes harm — e.g., targeting financially distressed segments
+with high-interest offers optimized on engagement signals from that population.
+# Article 5(1)(e)/(f) — Social scoring / emotion recognition in workplace or public space
+```
+If any candidate applies, flag as HIGH and route the prohibited-practice determination to qualified legal counsel. Do not determine prohibition yourself.
+### Step 4 — Annex III high-risk classification
+Map system characteristics to Annex III categories relevant to marketing AI:
+```text
+Annex III(1) — Biometric categorisation that infers sensitive characteristics
+Annex III(3) — AI in education or vocational training affecting access
+Annex III(4) — Employment, workers management, access to self-employment
+Annex III(5) — Access to and enjoyment of essential private services and public services
+              → creditworthiness scoring, insurance risk, financial product access
+Annex III(6) — Law enforcement (typically out of scope for marketing)
+Annex III(8) — Administration of justice / democratic processes
+```
+A marketing AI system that profiles natural persons to determine or influence their access to credit, insurance, employment, or essential services maps to Annex III(5) or Annex III(4). Classify as HIGH-RISK.
+```text
+# HIGH — lead-quality scorer using behavioral + demographic signals, output routes to credit team
+System purpose: score leads for mortgage pre-qualification routing
+Input: browsing behavior, inferred income tier, device type, engagement rate
+Output: lead-quality score → routed to underwriting queue or rejected
+Classification: Annex III(5) — access to essential private services (credit/mortgage)
+Obligation: Technical documentation (Art. 11), conformity assessment (Art. 43),
+            EU AI database registration (Art. 71), transparency to affected persons (Art. 13)
+```
+### Step 5 — Limited-risk and transparency-only assessment
+For systems that do not meet Annex III criteria, assess whether limited-risk transparency obligations apply:
+- Article 52(1): Systems interacting with natural persons must disclose they are AI (chatbots, virtual advisors).
+- Article 52(3): Deep fake / synthetic content must be disclosed as artificially generated.
+- Article 52(4): Emotion recognition or biometric categorisation systems must notify the persons exposed.
+```text
+# MEDIUM — AI chatbot on marketing site with no AI-disclosure notice
+Obligation: Article 52(1) transparency notice required before interaction begins.
+```
+### Step 6 — Human oversight and Article 14 assessment
+Assess whether the system's declared human-oversight mechanism satisfies Article 14 for high-risk systems:
+```text
+# HIGH — "human in the loop" flag declared but system routes decisions to automated downstream agents
+The human review gate must be meaningful: the human must be able to understand the output,
+detect failures, and override or halt the system. Rubber-stamp review with no override capability
+does not satisfy Article 14.
+```
+### Step 7 — Documentation gap inventory
+For any non-minimal-risk system, enumerate required documentation and flag gaps:
+| Obligation | Article | Status |
+|---|---|---|
+| Technical documentation | Art. 11 | Present / Absent / Partial |
+| Conformity assessment | Art. 43 | Present / Absent / Planned |
+| EU AI database registration | Art. 71 | Present / Absent / Not started |
+| Transparency notice (users) | Art. 13/52 | Present / Absent |
+| Fundamental rights impact assessment | Art. 27 | Present / Absent |
+| Responsible person designation | Art. 26 | Present / Absent |
+### Step 8 — August 2026 enforcement readiness check
+Regulation 2024/1689 entered into force August 1, 2024. Key milestones:
+- February 2, 2025: Prohibited practices (Article 5) enforceable.
+- August 2, 2025: GPAI and governance provisions enforceable.
+- August 2, 2026: All provisions including high-risk obligations enforceable.
+Flag any high-risk system with no documented conformity-assessment timeline, no responsible person, or no EU AI database registration as MEDIUM (if enforcement date is future) or HIGH (if enforcement date has passed at time of review).
+### Step 9 — Produce the output
+Format findings using the Output section below.
+---
+## Output
+Return findings in this structure:
+```
+## Verdict
+<one sentence: pass / needs work / critical issues found>
+## Evidence level
+<description card provided | documentation-based | inference>
+## Risk-tier classification
+<Prohibited (Art. 5) candidate | High-risk Annex III | Limited-risk (Art. 52) | Minimal-risk>
+<rationale: which Annex III category or Article 5 provision applies and why>
+## Documentation gap inventory
+<table: obligation | article | status>
+## Findings
+### CRITICAL
+- [C1] <finding title>: <description> — <remediation>
+### HIGH
+- [H1] <finding title>: <description> — <remediation>
+### MEDIUM
+- [M1] <finding title>: <description> — <remediation>
+### LOW
+- [L1] <finding title>: <description> — <remediation>
+## August 2026 enforcement readiness
+<summary of gaps and timeline pressure>
+## Safe next actions
+1. <action>
+2. <action>
+## Open questions
+- <question requiring user clarification>
+```
+---
+## Security and scope notes
+- This is a static review. Never request model weights, training datasets, internal performance logs, or vendor system-access credentials. Work from sanitized description cards only.
+- The prohibited-practice determination under Article 5 is a legal conclusion — flag the candidate risk and route to qualified legal counsel rather than deciding it.
+- EU AI Act obligations are in addition to, not instead of, GDPR obligations. A system that triggers Annex III also implicates GDPR Article 22, Article 35 DPIA obligations, and special-category data restrictions.
+- August 2026 is a hard enforcement deadline; systems requiring conformity assessments need lead time. Flag timeline pressure explicitly.
+- When evidence is partial, scope each finding to what was provided and state the assumption explicitly.

package/skills/marketing/influencer-disclosure-compliance-review/SKILL.md ADDED Viewed

@@ -0,0 +1,43 @@
+---
+name: influencer-disclosure-compliance-review
+description: Use this skill when reviewing an influencer campaign audit pack — campaign brief, creator agreement excerpt, platform post descriptions or screenshot descriptions, and the disclosure format and placement specification — against FTC Endorsement Guides to identify undisclosed material connections, inadequate disclosure placement, and brand liability exposure. Trigger when a user provides a structured influencer campaign audit pack and asks whether disclosures meet FTC requirements, whether the brief contains problematic instructions, or whether the brand faces liability for creator conduct under 16 CFR Part 255.
+allowed-tools: Read Grep Glob
+metadata:
+  author: "github: Raishin"
+  version: "0.1.0"
+  updated: "2026-05-17"
+  category: compliance
+  lifecycle: experimental
+---
+# Influencer Disclosure Compliance Review
+## Purpose
+This skill reviews a structured influencer campaign audit pack against the FTC Endorsement Guides (16 CFR Part 255, updated 2023) and FTC Act Section 5 to identify undisclosed material connections, inadequate disclosure placement, brand-instructed deceptive practices, and brand liability exposure. The FTC has consistently held that a "material connection" — payment, gifted product, free service, family or employment relationship, or any other material incentive — must be clearly and conspicuously disclosed so that consumers can weight the endorsement appropriately. A disclosure buried after the "more" fold, placed only in a hashtag crowd, or omitted entirely is a violation. The review assesses the audit pack as a static document: it does not generate new campaign content, draft creator instructions, or approve posts. This skill is scoped strictly to reviewing an existing audit pack; for ad-hoc content generation, use a different skill.
+## Lean operating rules
+- Treat any post description where a material connection (payment, gifted product, free service, brand affiliation) exists but no disclosure appears in the visible portion of the content — before the "more" or "see more" fold on Instagram, TikTok, or YouTube — as HIGH. FTC Endorsement Guides §255.5 requires clear-and-conspicuous disclosure visible without requiring additional user action.
+- Treat gifted product or complimentary service received by the creator, regardless of whether cash payment was made, as a material connection requiring disclosure. Flag the absence of any gifted-product disclosure in the post description as HIGH.
+- Treat a campaign brief that instructs creators to "only share positive experiences," suppress honest opinions, or omit negative aspects of the product as HIGH. Instructing suppression of honest opinion is a deceptive practice under 16 CFR §255.5 and creates brand liability.
+- Treat disclosure language placed exclusively within a crowd of hashtags (e.g., `#ad` buried among 20 other hashtags) where it is not likely to stand out as HIGH — the FTC Endorsement Guides require disclosures to be clear and conspicuous, not hidden.
+- Treat a creator agreement that contains no disclosure obligation clause, or whose clause does not specify placement requirements, as HIGH — the brand bears responsibility for ensuring adequate disclosure and must contractually enforce it.
+- Treat verbal or audio-only disclosures in video content without simultaneous on-screen text disclosure as MEDIUM for platforms where superimposed text is technically feasible — the FTC's 2023 updated guides indicate disclosures should be simultaneous with the relevant content.
+- Treat the use of platform-native "Paid Partnership" or "Branded Content" labels as a positive control but note it does not eliminate the obligation to make disclosures in the caption or verbally where the connection is not otherwise obvious.
+- Flag any disclosure that uses ambiguous language — "collab," "sp," "partner," "ambassador" without context — without a plain-language equivalent as MEDIUM; the FTC guidance indicates that simple terms like "#ad" or "#sponsored" are preferred.
+- Flag the absence of a documented disclosure review or approval step in the campaign workflow as MEDIUM — brands bear ongoing liability for non-compliant creator posts.
+- Do not recommend suppressing, editing, or withholding any creator's honest opinion. Remediation recommendations must preserve the creator's right to share genuine views.
+- Label every finding with evidence basis: brief provided, contract provided, post description provided, disclosure spec provided, or inference from missing document.
+## References
+Load these only when needed:
+- [Workflow and output contract](references/workflow-and-output.md) — use when executing the full review or formatting the final answer.
+## Response minimum
+Return, at minimum:
+- Material-connection disclosure assessment (payment, gifted product, free service, other incentives)
+- Disclosure placement and conspicuousness assessment (pre-fold visibility, hashtag crowd, verbal vs. on-screen)
+- Brief and contract review for problematic instructions (opinion suppression, mandatory positivity)
+- Creator agreement disclosure-obligation clause assessment
+- Platform-native label usage assessment
+- Severity-labelled finding list (critical / high / medium / low)
+- Safe next actions

package/skills/marketing/influencer-disclosure-compliance-review/metadata.json ADDED Viewed

@@ -0,0 +1,22 @@
+{
+  "id": "influencer-disclosure-compliance-review",
+  "name": "Influencer Disclosure Compliance Review",
+  "type": "skill",
+  "provider": "marketing",
+  "harnesses": ["codex", "claude-code", "cursor", "gemini", "kiro", "other"],
+  "summary": "Review influencer campaign audit packs — brief, contract, post descriptions, and disclosure placement specs — for FTC Endorsement Guide violations: undisclosed material connections, inadequate disclosure placement, and brand liability exposure.",
+  "source_type": "original",
+  "official_docs": [
+    "https://www.ftc.gov/legal-library/browse/rules/endorsement-guides",
+    "https://www.ecfr.gov/current/title-16/chapter-I/subchapter-B/part-255",
+    "https://www.ftc.gov/system/files/ftc_gov/pdf/ftc-endorsement-guides-final-rule.pdf",
+    "https://www.ftc.gov/legal-library/browse/statutes/federal-trade-commission-act",
+    "https://www.ftc.gov/business-guidance/resources/ftcs-endorsement-guides-what-people-are-asking"
+  ],
+  "security_notes": "Review works from a structured influencer campaign audit pack only — brief, contract excerpt, post descriptions, and disclosure spec. Never accept raw personal data about creators, unpublished negotiations, or brand financial terms beyond what is needed to assess disclosure adequacy. This is a static compliance review; it does not generate campaign content or creator instructions.",
+  "last_verified": "2026-05-17",
+  "path": "skills/marketing/influencer-disclosure-compliance-review",
+  "author": "github: Raishin",
+  "version": "0.1.0",
+  "lifecycle": "experimental"
+}

package/skills/marketing/influencer-disclosure-compliance-review/references/workflow-and-output.md ADDED Viewed

@@ -0,0 +1,156 @@
+# Workflow and Output Contract
+## Workflow
+### Step 1 — Collect inputs
+Ask the user to provide the influencer campaign audit pack as a structured document. The pack should include:
+- **Campaign brief**: objectives, key messages, deliverable specifications, any instructions to creators about tone or content scope
+- **Creator agreement excerpt**: compensation terms (cash, gifted product, affiliate commission, free service), disclosure obligation clause, content approval process
+- **Post descriptions**: written descriptions of the posts as published or planned, or a text description of screenshot content — including caption text, hashtags used, and where in the caption any disclosure language appears relative to the "more" fold
+- **Disclosure format and placement specification**: the brand's stated requirement for how creators must disclose (e.g., "#ad in first line," "verbal disclosure in first 30 seconds," "Instagram Paid Partnership label required")
+Note which documents are absent. If the brief is missing, note that brief-level findings cannot be assessed. If post descriptions are missing, note that placement findings are inference only.
+### Step 2 — Material connection identification
+Before assessing disclosures, identify all material connections present in the campaign:
+- **Cash payment**: flat fee, CPM, performance-based commission, affiliate fee
+- **Gifted product**: product provided free of charge regardless of whether additional payment was made — the FTC is explicit that product gifts are material connections
+- **Complimentary service**: free access, free subscription, free experience
+- **Brand affiliation**: creator is an employee, brand ambassador, family member of a brand employee, or investor in the brand
+- **Other incentives**: contest entry, travel, accommodation, ticket access
+```text
+# Example: material connections present in this campaign
+- Cash payment: $[AMOUNT_REDACTED] flat fee per post
+- Gifted product: one unit of [PRODUCT] provided prior to post
+- No affiliate commission structure found in contract excerpt
+```
+Any combination of the above constitutes a material connection requiring disclosure under 16 CFR §255.5. Document every connection found.
+### Step 3 — Brief review for problematic instructions
+Review the campaign brief for instructions that could themselves be deceptive practices or brand liability triggers:
+- **Opinion suppression**: Instructions to "only share positive experiences," "avoid mentioning [negative aspect]," "only post if you love it," or equivalent. Under 16 CFR §255.5 and FTC Act Section 5, directing a creator to suppress honest opinion is a deceptive practice attributable to the brand.
+- **Mandatory positivity**: Instructions requiring the creator to express enthusiasm, use superlatives, or frame the product in exclusively positive terms.
+- **Approval-gate bias**: An approval process where the brand reviews content before publication and withholds approval for content that includes balanced or negative views — functionally equivalent to opinion suppression.
+- **False authenticity framing**: Instructions to present sponsored content as organic discovery (e.g., "write as if you found this yourself").
+```text
+# HIGH — brief instructs opinion suppression
+Brief language: "Please only share your experience if it is positive. If you have concerns,
+reach out to us directly rather than including them in your post."
+# COMPLIANT — brief preserves honest opinion
+Brief language: "Share your genuine experience with the product. If you have concerns,
+you are welcome to include them. We ask only that you disclose the partnership."
+```
+### Step 4 — Disclosure placement and conspicuousness assessment
+For each post description, assess whether disclosure language is clear and conspicuous:
+**Pre-fold visibility rule**: On platforms with truncated captions (Instagram, TikTok, Facebook), disclosure language must appear before the "more" or "see more" fold — i.e., in the first approximately 125 characters visible without user interaction. A disclosure that appears after the fold is not clear and conspicuous regardless of its content.
+```text
+# HIGH — disclosure after the fold
+Caption (visible before "more"):
+"I've been obsessed with this skincare routine lately — here's what I've been using
+every morning to get glowing skin. Products linked below! 🌟 [120 chars so far]"
+[...more...]
+"#ad #sponsored #gifted"
+# COMPLIANT — disclosure in first line, before fold
+Caption:
+"AD | [Brand] gifted me this skincare set and I've been loving it..."
+```
+**Hashtag crowd burial**: A disclosure hashtag (`#ad`, `#sponsored`) buried within a group of 15 or more other hashtags at the end of a caption is not clear and conspicuous. Assess whether the disclosure hashtag stands out.
+**Video disclosures**: For video content, assess whether disclosure is:
+- Verbal: stated clearly and early (within first 30 seconds for videos over 2 minutes)
+- On-screen text: present simultaneously with the verbal mention or the first reference to the product
+- Not reliant solely on a description-box disclosure that viewers may not see
+**Platform-native labels**: Note whether Instagram's "Paid Partnership" label, TikTok's "Branded Content" toggle, or YouTube's paid promotion disclosure checkbox were used. These are positive controls but do not eliminate caption or verbal disclosure obligations where the connection might otherwise not be obvious.
+### Step 5 — Creator agreement disclosure-obligation clause assessment
+Review the creator agreement excerpt for:
+- **Presence of a disclosure clause**: Does the agreement explicitly require the creator to disclose the material connection in every post?
+- **Placement specificity**: Does the clause specify where in the post the disclosure must appear (e.g., "in the first line of the caption before any truncation")?
+- **Platform coverage**: Does the clause cover all platforms on which the creator will post, including Stories, Reels, TikTok, YouTube Shorts, and any cross-posting?
+- **Enforcement mechanism**: Does the agreement give the brand a right to request correction of a non-compliant post?
+A creator agreement with no disclosure clause, or with a disclosure clause that does not specify placement, leaves the brand exposed — the FTC holds brands responsible for ensuring disclosures are made even when individual creators are nominally independent.
+```text
+# HIGH — no disclosure clause
+Creator agreement excerpt: [No disclosure obligation language found in provided excerpt]
+# COMPLIANT — specific placement requirement
+Creator agreement clause: "Creator shall include '#ad' or '#sponsored' as the first
+hashtag or in the first line of the caption on each post, before any caption truncation."
+```
+### Step 6 — Disclosure format adequacy assessment
+Assess whether the disclosure language specified in the brief or used in post descriptions meets FTC clarity standards:
+- **Acceptable terms**: `#ad`, `#sponsored`, "Advertisement," "Paid partnership with [Brand]," "I received this product for free from [Brand]"
+- **Ambiguous terms** (flag as MEDIUM): `#collab`, `#sp`, `#partner`, `#ambassador` without further context — the FTC guidance notes these may not be universally understood
+- **Insufficient terms**: `#gifted` alone may not be sufficient if it does not convey the commercial nature of the relationship; `#affiliate` is more specific but may still require context
+### Step 7 — Produce the output
+Format findings using the Output section below.
+---
+## Output
+Return findings in this structure:
+```
+## Verdict
+<one sentence: pass / needs work / critical issues found>
+## Evidence level
+<brief provided | contract provided | post descriptions provided | disclosure spec provided | inference>
+## Material connections identified
+<list all material connections found in the audit pack>
+## Findings
+### CRITICAL
+- [C1] <finding title>: <description> — <remediation>
+### HIGH
+- [H1] <finding title>: <description> — <remediation>
+### MEDIUM
+- [M1] <finding title>: <description> — <remediation>
+### LOW
+- [L1] <finding title>: <description> — <remediation>
+## Safe next actions
+1. <action>
+2. <action>
+## Open questions
+- <question requiring user clarification>
+```
+---
+## Security and scope notes
+- This is a static review of a structured influencer campaign audit pack. The skill does not generate new post content, draft creator instructions, or approve posts for publication.
+- Never recommend that creators suppress honest opinions, omit negative experiences, or present sponsored content as organic discovery — these are themselves FTC violations and increase brand liability.
+- Brand liability under FTC Act Section 5 extends to deceptive acts by creators the brand directed or had reason to know about. A finding of brief-level opinion suppression instructions is a brand liability issue, not only a creator issue.
+- The FTC Endorsement Guides were substantially updated in 2023 — verify that any prior campaign documentation was produced with awareness of the updated requirements, particularly regarding disclosure placement and the treatment of gifted product.
+- When evidence is partial (e.g., no post descriptions provided), scope placement findings to inference and state assumptions explicitly.
+- A serious finding here (e.g., systematic non-disclosure across a campaign) may warrant notification to legal counsel before the campaign continues or expands.