@raishin/vanguard-frontier-agentic 2.0.0 → 2.1.0

package/skills/marketing/influencer-disclosure-compliance-review/SKILL.md

@@ -0,0 +1,43 @@
+---
+name: influencer-disclosure-compliance-review
+description: Use this skill when reviewing an influencer campaign audit pack — campaign brief, creator agreement excerpt, platform post descriptions or screenshot descriptions, and the disclosure format and placement specification — against FTC Endorsement Guides to identify undisclosed material connections, inadequate disclosure placement, and brand liability exposure. Trigger when a user provides a structured influencer campaign audit pack and asks whether disclosures meet FTC requirements, whether the brief contains problematic instructions, or whether the brand faces liability for creator conduct under 16 CFR Part 255.
+allowed-tools: Read Grep Glob
+metadata:
+  author: "github: Raishin"
+  version: "0.1.0"
+  updated: "2026-05-17"
+  category: compliance
+  lifecycle: experimental
+---
+
+# Influencer Disclosure Compliance Review
+
+## Purpose
+This skill reviews a structured influencer campaign audit pack against the FTC Endorsement Guides (16 CFR Part 255, updated 2023) and FTC Act Section 5 to identify undisclosed material connections, inadequate disclosure placement, brand-instructed deceptive practices, and brand liability exposure. The FTC has consistently held that a "material connection" — payment, gifted product, free service, family or employment relationship, or any other material incentive — must be clearly and conspicuously disclosed so that consumers can weight the endorsement appropriately. A disclosure buried after the "more" fold, placed only in a hashtag crowd, or omitted entirely is a violation. The review assesses the audit pack as a static document: it does not generate new campaign content, draft creator instructions, or approve posts. This skill is scoped strictly to reviewing an existing audit pack; for ad-hoc content generation, use a different skill.
+
+## Lean operating rules
+- Treat any post description where a material connection (payment, gifted product, free service, brand affiliation) exists but no disclosure appears in the visible portion of the content — before the "more" or "see more" fold on Instagram, TikTok, or YouTube — as HIGH. FTC Endorsement Guides §255.5 requires clear-and-conspicuous disclosure visible without requiring additional user action.
+- Treat gifted product or complimentary service received by the creator, regardless of whether cash payment was made, as a material connection requiring disclosure. Flag the absence of any gifted-product disclosure in the post description as HIGH.
+- Treat a campaign brief that instructs creators to "only share positive experiences," suppress honest opinions, or omit negative aspects of the product as HIGH. Instructing suppression of honest opinion is a deceptive practice under 16 CFR §255.5 and creates brand liability.
+- Treat disclosure language placed exclusively within a crowd of hashtags (e.g., `#ad` buried among 20 other hashtags) where it is not likely to stand out as HIGH — the FTC Endorsement Guides require disclosures to be clear and conspicuous, not hidden.
+- Treat a creator agreement that contains no disclosure obligation clause, or whose clause does not specify placement requirements, as HIGH — the brand bears responsibility for ensuring adequate disclosure and must contractually enforce it.
+- Treat verbal or audio-only disclosures in video content without simultaneous on-screen text disclosure as MEDIUM for platforms where superimposed text is technically feasible — the FTC's 2023 updated guides indicate disclosures should be simultaneous with the relevant content.
+- Treat the use of platform-native "Paid Partnership" or "Branded Content" labels as a positive control but note it does not eliminate the obligation to make disclosures in the caption or verbally where the connection is not otherwise obvious.
+- Flag any disclosure that uses ambiguous language — "collab," "sp," "partner," "ambassador" without context — without a plain-language equivalent as MEDIUM; the FTC guidance indicates that simple terms like "#ad" or "#sponsored" are preferred.
+- Flag the absence of a documented disclosure review or approval step in the campaign workflow as MEDIUM — brands bear ongoing liability for non-compliant creator posts.
+- Do not recommend suppressing, editing, or withholding any creator's honest opinion. Remediation recommendations must preserve the creator's right to share genuine views.
+- Label every finding with evidence basis: brief provided, contract provided, post description provided, disclosure spec provided, or inference from missing document.
+
+## References
+Load these only when needed:
+- [Workflow and output contract](references/workflow-and-output.md) — use when executing the full review or formatting the final answer.
+
+## Response minimum
+Return, at minimum:
+- Material-connection disclosure assessment (payment, gifted product, free service, other incentives)
+- Disclosure placement and conspicuousness assessment (pre-fold visibility, hashtag crowd, verbal vs. on-screen)
+- Brief and contract review for problematic instructions (opinion suppression, mandatory positivity)
+- Creator agreement disclosure-obligation clause assessment
+- Platform-native label usage assessment
+- Severity-labelled finding list (critical / high / medium / low)
+- Safe next actions

package/skills/marketing/influencer-disclosure-compliance-review/metadata.json

@@ -0,0 +1,22 @@
+{
+  "id": "influencer-disclosure-compliance-review",
+  "name": "Influencer Disclosure Compliance Review",
+  "type": "skill",
+  "provider": "marketing",
+  "harnesses": ["codex", "claude-code", "cursor", "gemini", "kiro", "other"],
+  "summary": "Review influencer campaign audit packs — brief, contract, post descriptions, and disclosure placement specs — for FTC Endorsement Guide violations: undisclosed material connections, inadequate disclosure placement, and brand liability exposure.",
+  "source_type": "original",
+  "official_docs": [
+    "https://www.ftc.gov/legal-library/browse/rules/endorsement-guides",
+    "https://www.ecfr.gov/current/title-16/chapter-I/subchapter-B/part-255",
+    "https://www.ftc.gov/system/files/ftc_gov/pdf/ftc-endorsement-guides-final-rule.pdf",
+    "https://www.ftc.gov/legal-library/browse/statutes/federal-trade-commission-act",
+    "https://www.ftc.gov/business-guidance/resources/ftcs-endorsement-guides-what-people-are-asking"
+  ],
+  "security_notes": "Review works from a structured influencer campaign audit pack only — brief, contract excerpt, post descriptions, and disclosure spec. Never accept raw personal data about creators, unpublished negotiations, or brand financial terms beyond what is needed to assess disclosure adequacy. This is a static compliance review; it does not generate campaign content or creator instructions.",
+  "last_verified": "2026-05-17",
+  "path": "skills/marketing/influencer-disclosure-compliance-review",
+  "author": "github: Raishin",
+  "version": "0.1.0",
+  "lifecycle": "experimental"
+}

package/skills/marketing/influencer-disclosure-compliance-review/references/workflow-and-output.md

@@ -0,0 +1,156 @@
+# Workflow and Output Contract
+
+## Workflow
+
+### Step 1 — Collect inputs
+
+Ask the user to provide the influencer campaign audit pack as a structured document. The pack should include:
+- **Campaign brief**: objectives, key messages, deliverable specifications, any instructions to creators about tone or content scope
+- **Creator agreement excerpt**: compensation terms (cash, gifted product, affiliate commission, free service), disclosure obligation clause, content approval process
+- **Post descriptions**: written descriptions of the posts as published or planned, or a text description of screenshot content — including caption text, hashtags used, and where in the caption any disclosure language appears relative to the "more" fold
+- **Disclosure format and placement specification**: the brand's stated requirement for how creators must disclose (e.g., "#ad in first line," "verbal disclosure in first 30 seconds," "Instagram Paid Partnership label required")
+
+Note which documents are absent. If the brief is missing, note that brief-level findings cannot be assessed. If post descriptions are missing, note that placement findings are inference only.
+
+### Step 2 — Material connection identification
+
+Before assessing disclosures, identify all material connections present in the campaign:
+- **Cash payment**: flat fee, CPM, performance-based commission, affiliate fee
+- **Gifted product**: product provided free of charge regardless of whether additional payment was made — the FTC is explicit that product gifts are material connections
+- **Complimentary service**: free access, free subscription, free experience
+- **Brand affiliation**: creator is an employee, brand ambassador, family member of a brand employee, or investor in the brand
+- **Other incentives**: contest entry, travel, accommodation, ticket access
+
+```text
+# Example: material connections present in this campaign
+- Cash payment: $[AMOUNT_REDACTED] flat fee per post
+- Gifted product: one unit of [PRODUCT] provided prior to post
+- No affiliate commission structure found in contract excerpt
+```
+
+Any combination of the above constitutes a material connection requiring disclosure under 16 CFR §255.5. Document every connection found.
+
+### Step 3 — Brief review for problematic instructions
+
+Review the campaign brief for instructions that could themselves be deceptive practices or brand liability triggers:
+- **Opinion suppression**: Instructions to "only share positive experiences," "avoid mentioning [negative aspect]," "only post if you love it," or equivalent. Under 16 CFR §255.5 and FTC Act Section 5, directing a creator to suppress honest opinion is a deceptive practice attributable to the brand.
+- **Mandatory positivity**: Instructions requiring the creator to express enthusiasm, use superlatives, or frame the product in exclusively positive terms.
+- **Approval-gate bias**: An approval process where the brand reviews content before publication and withholds approval for content that includes balanced or negative views — functionally equivalent to opinion suppression.
+- **False authenticity framing**: Instructions to present sponsored content as organic discovery (e.g., "write as if you found this yourself").
+
+```text
+# HIGH — brief instructs opinion suppression
+Brief language: "Please only share your experience if it is positive. If you have concerns,
+reach out to us directly rather than including them in your post."
+
+# COMPLIANT — brief preserves honest opinion
+Brief language: "Share your genuine experience with the product. If you have concerns,
+you are welcome to include them. We ask only that you disclose the partnership."
+```
+
+### Step 4 — Disclosure placement and conspicuousness assessment
+
+For each post description, assess whether disclosure language is clear and conspicuous:
+
+**Pre-fold visibility rule**: On platforms with truncated captions (Instagram, TikTok, Facebook), disclosure language must appear before the "more" or "see more" fold — i.e., in the first approximately 125 characters visible without user interaction. A disclosure that appears after the fold is not clear and conspicuous regardless of its content.
+
+```text
+# HIGH — disclosure after the fold
+Caption (visible before "more"):
+"I've been obsessed with this skincare routine lately — here's what I've been using
+every morning to get glowing skin. Products linked below! 🌟 [120 chars so far]"
+[...more...]
+"#ad #sponsored #gifted"
+
+# COMPLIANT — disclosure in first line, before fold
+Caption:
+"AD | [Brand] gifted me this skincare set and I've been loving it..."
+```
+
+**Hashtag crowd burial**: A disclosure hashtag (`#ad`, `#sponsored`) buried within a group of 15 or more other hashtags at the end of a caption is not clear and conspicuous. Assess whether the disclosure hashtag stands out.
+
+**Video disclosures**: For video content, assess whether disclosure is:
+- Verbal: stated clearly and early (within first 30 seconds for videos over 2 minutes)
+- On-screen text: present simultaneously with the verbal mention or the first reference to the product
+- Not reliant solely on a description-box disclosure that viewers may not see
+
+**Platform-native labels**: Note whether Instagram's "Paid Partnership" label, TikTok's "Branded Content" toggle, or YouTube's paid promotion disclosure checkbox were used. These are positive controls but do not eliminate caption or verbal disclosure obligations where the connection might otherwise not be obvious.
+
+### Step 5 — Creator agreement disclosure-obligation clause assessment
+
+Review the creator agreement excerpt for:
+- **Presence of a disclosure clause**: Does the agreement explicitly require the creator to disclose the material connection in every post?
+- **Placement specificity**: Does the clause specify where in the post the disclosure must appear (e.g., "in the first line of the caption before any truncation")?
+- **Platform coverage**: Does the clause cover all platforms on which the creator will post, including Stories, Reels, TikTok, YouTube Shorts, and any cross-posting?
+- **Enforcement mechanism**: Does the agreement give the brand a right to request correction of a non-compliant post?
+
+A creator agreement with no disclosure clause, or with a disclosure clause that does not specify placement, leaves the brand exposed — the FTC holds brands responsible for ensuring disclosures are made even when individual creators are nominally independent.
+
+```text
+# HIGH — no disclosure clause
+Creator agreement excerpt: [No disclosure obligation language found in provided excerpt]
+
+# COMPLIANT — specific placement requirement
+Creator agreement clause: "Creator shall include '#ad' or '#sponsored' as the first
+hashtag or in the first line of the caption on each post, before any caption truncation."
+```
+
+### Step 6 — Disclosure format adequacy assessment
+
+Assess whether the disclosure language specified in the brief or used in post descriptions meets FTC clarity standards:
+- **Acceptable terms**: `#ad`, `#sponsored`, "Advertisement," "Paid partnership with [Brand]," "I received this product for free from [Brand]"
+- **Ambiguous terms** (flag as MEDIUM): `#collab`, `#sp`, `#partner`, `#ambassador` without further context — the FTC guidance notes these may not be universally understood
+- **Insufficient terms**: `#gifted` alone may not be sufficient if it does not convey the commercial nature of the relationship; `#affiliate` is more specific but may still require context
+
+### Step 7 — Produce the output
+
+Format findings using the Output section below.
+
+---
+
+## Output
+
+Return findings in this structure:
+
+```
+## Verdict
+<one sentence: pass / needs work / critical issues found>
+
+## Evidence level
+<brief provided | contract provided | post descriptions provided | disclosure spec provided | inference>
+
+## Material connections identified
+<list all material connections found in the audit pack>
+
+## Findings
+
+### CRITICAL
+- [C1] <finding title>: <description> — <remediation>
+
+### HIGH
+- [H1] <finding title>: <description> — <remediation>
+
+### MEDIUM
+- [M1] <finding title>: <description> — <remediation>
+
+### LOW
+- [L1] <finding title>: <description> — <remediation>
+
+## Safe next actions
+1. <action>
+2. <action>
+
+## Open questions
+- <question requiring user clarification>
+```
+
+---
+
+## Security and scope notes
+
+- This is a static review of a structured influencer campaign audit pack. The skill does not generate new post content, draft creator instructions, or approve posts for publication.
+- Never recommend that creators suppress honest opinions, omit negative experiences, or present sponsored content as organic discovery — these are themselves FTC violations and increase brand liability.
+- Brand liability under FTC Act Section 5 extends to deceptive acts by creators the brand directed or had reason to know about. A finding of brief-level opinion suppression instructions is a brand liability issue, not only a creator issue.
+- The FTC Endorsement Guides were substantially updated in 2023 — verify that any prior campaign documentation was produced with awareness of the updated requirements, particularly regarding disclosure placement and the treatment of gifted product.
+- When evidence is partial (e.g., no post descriptions provided), scope placement findings to inference and state assumptions explicitly.
+- A serious finding here (e.g., systematic non-disclosure across a campaign) may warrant notification to legal counsel before the campaign continues or expands.

package/skills/marketing/lookalike-audience-upload-compliance-review/SKILL.md

@@ -0,0 +1,44 @@
+---
+name: lookalike-audience-upload-compliance-review
+description: Use this skill when reviewing custom-audience and lookalike-audience upload specifications for hashing adequacy, PII field scope, consent-basis validity, and platform data-sharing restrictions before the upload is submitted to Meta, Google, LinkedIn, or TikTok. Trigger when a user provides an audience upload field-mapping specification (CSV schema or platform upload template), declared hashing method, consent-basis documentation, or originating list segment metadata — or when they ask whether their customer list upload or lookalike seed list is compliant with GDPR, CCPA/CPRA, or platform terms before uploading.
+allowed-tools: Read Grep Glob
+metadata:
+  author: "github: Raishin"
+  version: "0.1.0"
+  updated: "2026-05-17"
+  category: data
+  lifecycle: experimental
+---
+
+# Lookalike Audience Upload Compliance Review
+
+## Purpose
+This skill reviews custom-audience and lookalike-audience upload specifications for hashing adequacy, PII field scope, consent-basis validity, and platform data-sharing restrictions before the upload is submitted to Meta, Google, LinkedIn, or TikTok. Customer list uploads are one of the most common data-sharing vectors in marketing operations: a brand transmits personal data — email, phone, name, address — to an ad platform under the guise of audience matching. The legal basis, the scope of consent granted, the minimality of the field set, and the reversibility of the hashing method all determine whether the upload is a lawful data-sharing arrangement or an unauthorized third-party disclosure that violates GDPR Article 5 and 6, CCPA/CPRA §1798.100, and platform terms. The review catches underhashed identifiers, oversized field sets, consent-scope mismatches, and re-identification surfaces before the upload fires.
+
+## Lean operating rules
+- Treat email addresses, phone numbers, or other direct identifiers hashed with MD5 rather than SHA-256 (or better) as HIGH — MD5 is trivially reversible via rainbow table for common email formats and does not constitute adequate pseudonymization under GDPR Article 5(1)(f).
+- Treat a seed list for a financial-services, insurance, or healthcare lookalike that includes customers who consented only to service communications (transactional consent) as HIGH — sharing that list with an ad platform for advertising targeting exceeds the consent scope, constituting unauthorized "sharing" of personal information under CPRA §1798.100 and a purpose-limitation violation under GDPR Article 5(1)(b).
+- Treat a field mapping that includes home postal code combined with email and phone as HIGH — the combination creates a high-confidence re-identification surface beyond what the matching algorithm requires, violating the data-minimization principle under GDPR Article 5(1)(c) and FTC data-minimization guidance.
+- Treat unhashed upload of any direct identifier (plain-text email, phone, name) as HIGH — no platform terms permit plain-text PII upload, and transmission in the clear is an unequivocal data breach of the identifier.
+- Treat the absence of a documented lawful basis (GDPR Article 6) for the data-sharing arrangement — neither the original collection basis nor a separate legitimate-interest or consent basis for sharing with the ad platform — as HIGH.
+- Treat lookalike seed lists that include individuals in jurisdictions where the operator has no data-processing agreement with the ad platform (e.g., EU residents shared with a non-adequate-country platform without SCCs) as HIGH — the transfer itself is unlawful under GDPR Chapter V.
+- Flag field sets that include date of birth, precise geolocation, or transaction-level history where only email and phone are needed for matching as MEDIUM — over-inclusion violates data minimization and increases re-identification risk.
+- Flag platform-specific restrictions violated by the field mapping — e.g., Meta's Customer List Custom Audience terms prohibit health, financial account data, and sensitive categories — as MEDIUM when inclusion is marginal but potentially violating.
+- Flag the absence of a documented retention or deletion schedule for the matched and unmatched records on the platform side as MEDIUM — GDPR Article 5(1)(e) requires storage limitation; the user should confirm platform-side deletion timelines.
+- Do not recommend uploading any field not strictly needed for the matching objective; default to the minimum field set (normalized lowercase email SHA-256 hashed) unless the user explicitly requires phone or name for match-rate reasons.
+- Label every finding with evidence basis: field-mapping spec provided, hashing method declared, consent documentation provided, or inference from missing information.
+
+## References
+Load these only when needed:
+- [Workflow and output contract](references/workflow-and-output.md) — use when executing the full review or formatting the final answer.
+
+## Response minimum
+Return, at minimum:
+- Hashing adequacy assessment (algorithm, where hashing occurs, platform requirement alignment)
+- PII field-scope and data-minimization assessment (fields included vs. fields needed)
+- Consent-basis validity assessment (original collection basis, scope for ad-platform sharing)
+- Cross-border transfer assessment (GDPR Chapter V if EU data subjects are in the list)
+- Platform-specific restriction check (Meta, Google, LinkedIn, TikTok terms)
+- Re-identification surface assessment (field combination risk)
+- Severity-labelled finding list (critical / high / medium / low)
+- Safe next actions

package/skills/marketing/lookalike-audience-upload-compliance-review/metadata.json

@@ -0,0 +1,21 @@
+{
+  "id": "lookalike-audience-upload-compliance-review",
+  "name": "Lookalike Audience Upload Compliance Review",
+  "type": "skill",
+  "provider": "marketing",
+  "harnesses": ["codex", "claude-code", "cursor", "gemini", "kiro", "other"],
+  "summary": "Review custom-audience and lookalike-audience upload specifications for hashing adequacy, PII field scope, consent-basis validity, and platform data-sharing restrictions before upload to Meta, Google, LinkedIn, or TikTok — catching underhashed identifiers, consent-scope mismatches, and re-identification surfaces.",
+  "source_type": "original",
+  "official_docs": [
+    "https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32016R0679",
+    "https://oag.ca.gov/privacy/ccpa",
+    "https://www.ftc.gov/reports/data-brokers-call-transparency-accountability",
+    "https://developers.facebook.com/docs/marketing-api/audiences/guides/custom-audiences/",
+    "https://support.google.com/google-ads/answer/6334160"
+  ],
+  "security_notes": "Custom-audience uploads transmit hashed personal data to ad platforms under data-sharing arrangements that must have a lawful basis, appropriate consent scope, and adequate pseudonymization. Review works from sanitized field-mapping specifications, declared hashing methods, and consent-basis documentation only; never request actual audience files, real customer records, or platform API credentials.",
+  "last_verified": "2026-05-17",
+  "path": "skills/marketing/lookalike-audience-upload-compliance-review",
+  "author": "github: Raishin",
+  "version": "0.1.0"
+}

package/skills/marketing/lookalike-audience-upload-compliance-review/references/workflow-and-output.md

@@ -0,0 +1,203 @@
+# Workflow and Output Contract
+
+## Workflow
+
+### Step 1 — Collect inputs
+
+Ask the user to provide one or more of the following as sanitized documents (replace real records with schema descriptions; no actual customer PII, no platform API credentials):
+- Audience upload field-mapping specification (CSV column headers, platform upload template, or field list with data types)
+- Declared hashing method (algorithm, whether hashing occurs client-side or server-side, and normalization steps applied before hashing)
+- Consent-basis documentation (privacy notice excerpt, consent-collection mechanism, opt-in/opt-out flow, original collection purpose)
+- Originating list segment metadata (how the list was segmented, which customer population it covers, what action or consent triggered inclusion)
+- Target platform(s) (Meta, Google, LinkedIn, TikTok, or DSP)
+- Whether EU or California resident data subjects are included
+
+If the user provides only a partial set, note which sections are absent and scope findings accordingly.
+
+### Step 2 — Platform identification and terms baseline
+
+Identify the target platform and retrieve the relevant customer-list terms:
+
+```text
+Meta Custom Audiences: Prohibit sensitive categories (health, financial account data, sexual orientation,
+  religious beliefs, political views, union membership, biometric data, criminal records, or data from
+  users under 13). Require SHA-256 hashing of email, phone, name. Normalize before hashing
+  (lowercase, no spaces).
+
+Google Customer Match: Prohibit sensitive-category data. Require SHA-256 hashing. Normalization
+  required per Google's specification (lowercase email, E.164 phone format before hashing).
+
+LinkedIn Matched Audiences: Prohibit sensitive categories. Require SHA-256. Minimum list size
+  enforced for privacy (300 matched members).
+
+TikTok Custom Audiences: Require SHA-256. Prohibit sensitive categories. GDPR and CCPA
+  compliance certifications required for respective geographies.
+```
+
+Note any field in the specification that appears to violate platform-specific prohibitions.
+
+### Step 3 — Hashing adequacy audit
+
+Inspect the declared hashing method against minimum requirements:
+
+```text
+# HIGH — MD5 hashing declared
+MD5 produces a 128-bit digest. For common email formats (first.last@domain.com),
+precomputed rainbow tables resolve ~80-90% of hashes. This is not adequate pseudonymization
+under GDPR Article 5(1)(f) and violates platform terms for Meta, Google, LinkedIn, and TikTok.
+Remediation: Replace MD5 with SHA-256. Apply normalization (lowercase, trim whitespace) before hashing.
+
+# HIGH — plain-text upload (no hashing declared)
+Direct transmission of email or phone in the clear constitutes unambiguous PII disclosure
+to the ad platform. No platform terms permit this.
+
+# MEDIUM — SHA-256 declared but normalization step not documented
+Without documented normalization (lowercase, strip punctuation), match rates degrade and
+partial hash collisions become possible. Confirm normalization spec.
+
+# CORRECT — SHA-256 with documented normalization
+Email: lowercase → strip whitespace → SHA-256
+Phone: E.164 format → strip non-numeric → SHA-256
+```
+
+Hashing reduces re-identification risk but does not eliminate it — flag this explicitly. Hashed identifiers are still personal data under GDPR.
+
+### Step 4 — PII field-scope and data-minimization audit
+
+Inspect the field mapping for over-inclusion relative to the matching objective:
+
+```text
+# Minimum field set for match-rate adequacy (any platform)
+- SHA-256 hashed email  ← sufficient for >85% match rates on most platforms
+
+# Extended field set (justified only when match rate is demonstrably inadequate)
+- SHA-256 hashed phone number
+- SHA-256 hashed first name + last name (separate fields per platform spec)
+
+# Over-included fields (data-minimization violation)
+- Date of birth → not needed for matching; increases re-identification
+- Home postal code → combined with email + phone = high-confidence re-identification surface
+- Transaction history columns → no matching function; pure data exposure
+- IP address → not a valid matching identifier; exposes behavioral fingerprint
+```
+
+Flag any field beyond the minimum set needed for the stated matching objective as MEDIUM. Flag postal code combined with email and phone as HIGH (re-identification surface).
+
+### Step 5 — Consent-basis validity audit
+
+Map the originating consent basis against the intended use:
+
+```text
+Scenario A — Transactional consent only
+Original consent: "I agree to receive order confirmations and shipping updates."
+Intended use: Seed list for Facebook lookalike audience targeting financial product ads.
+Assessment: HIGH — sharing for advertising targeting exceeds the transactional consent scope.
+GDPR: Purpose-limitation violation (Article 5(1)(b)). Separate consent for advertising use required.
+CPRA: Unauthorized "sharing" of personal information for cross-context behavioral advertising
+      (§1798.100) — constitutes a sale/share requiring opt-out mechanism.
+
+Scenario B — Marketing consent with opt-in
+Original consent: "I agree to receive marketing communications from [Brand]."
+Intended use: Custom audience upload for retargeting on Meta.
+Assessment: MEDIUM — first-party retargeting may fall within scope, but sharing PII with Meta
+            as a data controller may require separate disclosure in the privacy notice.
+            Confirm whether privacy notice discloses ad-platform data sharing.
+
+Scenario C — No documented consent, legitimate interest asserted
+Assessment: HIGH — legitimate interest is a narrow basis that rarely survives for ad-platform
+            data sharing. LIA (Legitimate Interest Assessment) must be documented; data-subject
+            rights (opt-out, erasure) must be honored.
+```
+
+### Step 6 — Cross-border transfer assessment
+
+If EU resident data subjects are in the list and the ad platform is a non-adequate-country processor:
+
+```text
+# Required safeguards for EU → US transfer (post-Schrems II)
+- Standard Contractual Clauses (SCCs) — Module 2 (controller to processor) or
+  Module 1 (controller to controller depending on platform's legal role)
+- UK Addendum if UK residents included
+- Transfer Impact Assessment (TIA) documented
+
+# HIGH — EU residents in list, no SCC or EU-US DPF certification documented for the platform
+GDPR Chapter V prohibits transfer without adequate safeguard. Confirm platform's DPF
+certification status or execute SCCs before upload.
+```
+
+### Step 7 — Platform-specific sensitive-category restriction check
+
+Cross-check each field against platform-specific prohibited categories:
+
+| Field | Meta | Google | LinkedIn | TikTok |
+|---|---|---|---|---|
+| Health condition inferred from segment | PROHIBITED | PROHIBITED | PROHIBITED | PROHIBITED |
+| Financial hardship segment label | PROHIBITED | PROHIBITED | Review | Review |
+| Religious affiliation in segment metadata | PROHIBITED | PROHIBITED | PROHIBITED | PROHIBITED |
+| Age (exact DOB) | Allowed (hashed) | Allowed (hashed) | Caution | Caution |
+| Postal code (unhashed) | Not a match field | Not a match field | Not a match field | Not a match field |
+
+Flag any field or segment label that maps to a platform-prohibited category.
+
+### Step 8 — Retention and deletion assessment
+
+Flag the absence of documented platform-side retention limits as MEDIUM:
+
+- Confirm the platform's stated retention period for unmatched records (typically 48-72 hours for most platforms).
+- Confirm whether the operator has a deletion schedule for the source list post-upload.
+- Confirm whether the list can be deleted from the platform after campaign completion.
+
+### Step 9 — Produce the output
+
+Format findings using the Output section below.
+
+---
+
+## Output
+
+Return findings in this structure:
+
+```
+## Verdict
+<one sentence: pass / needs work / critical issues found>
+
+## Evidence level
+<field-mapping spec provided | hashing method declared | consent documentation provided | inference>
+
+## Platform(s) in scope
+<Meta | Google | LinkedIn | TikTok | DSP>
+
+## Findings
+
+### CRITICAL
+- [C1] <finding title>: <description> — <remediation>
+
+### HIGH
+- [H1] <finding title>: <description> — <remediation>
+
+### MEDIUM
+- [M1] <finding title>: <description> — <remediation>
+
+### LOW
+- [L1] <finding title>: <description> — <remediation>
+
+## Recommended minimum field set
+<field list with hashing spec>
+
+## Safe next actions
+1. <action>
+2. <action>
+
+## Open questions
+- <question requiring user clarification>
+```
+
+---
+
+## Security and scope notes
+
+- This is a static review. Never request actual audience files, real customer records, or platform API credentials. Work from sanitized field-mapping specifications, declared hashing methods, and consent-basis documentation.
+- SHA-256 hashing of a common email address is pseudonymization, not anonymization — the hashed identifier is still personal data under GDPR and still requires a lawful basis for sharing with the ad platform.
+- A consent-scope mismatch discovered here may constitute a reportable breach or an unauthorized "sale/share" of personal information under CPRA — flag that possibility and route the legal determination to qualified counsel and the privacy compliance team.
+- Never recommend uploading a field that is not strictly needed for the matching objective. Default to the minimum field set.
+- When evidence is partial, scope each finding to what was provided and state the assumption explicitly.

package/skills/marketing/marketing-consent-data-collection-review/SKILL.md

@@ -0,0 +1,44 @@
+---
+name: marketing-consent-data-collection-review
+description: Use this skill when reviewing a marketing site's consent and data-collection posture — cookie/consent banner (CMP) configuration, tag-manager container exports, Google Consent Mode wiring, or a cookie policy. Trigger when a user provides a CMP configuration, a tag manager container JSON, a consent-banner screenshot description, or asks whether their marketing tracking is GDPR/CCPA/ePrivacy compliant, whether tags fire before consent, or whether their opt-out path is valid.
+allowed-tools: Read Grep Glob
+metadata:
+  author: "github: Raishin"
+  version: "0.1.0"
+  updated: "2026-05-17"
+  category: compliance
+  lifecycle: experimental
+---
+
+# Marketing Consent and Data-Collection Review
+
+## Purpose
+This skill reviews the consent and data-collection layer of a marketing site for regulatory correctness, coverage gaps, and dark-pattern risk. Marketing analytics and advertising tags are a primary enforcement target under GDPR, the ePrivacy Directive, and US state privacy laws (CCPA/CPRA and successors). A tag that fires before a consent signal, a banner with no symmetric reject control, or a missing "Do Not Sell or Share" path converts routine marketing instrumentation into a regulatory liability and a class-action surface. The review catches consent-gating failures, banner dark patterns, Consent Mode misconfiguration, undeclared trackers, and cross-border transfer gaps before they reach production.
+
+## Lean operating rules
+- Treat any analytics or advertising tag that fires before an explicit opt-in consent signal (in a GDPR/ePrivacy-scoped jurisdiction) as HIGH — prior consent is required before non-essential storage or access.
+- Treat a consent banner with no reject control, or a reject control that takes more clicks or less visual weight than accept, as HIGH — non-symmetric choice is a recognized dark pattern and invalidates consent.
+- Treat pre-ticked consent checkboxes or "consent by continued browsing / scrolling" as HIGH — neither is freely given, specific, informed, and unambiguous consent.
+- Treat the absence of a "Do Not Sell or Share My Personal Information" link or an equivalent opt-out preference signal path (Global Privacy Control honoring) as HIGH for sites serving California or other opt-out-regime traffic.
+- Treat Google Consent Mode left in its default-granted state, or implemented without `wait_for_update`, as HIGH — tags transmit before the consent decision is captured.
+- Treat trackers observed in the tag container that are not disclosed in the cookie policy or consent vendor list as HIGH — undisclosed processing has no lawful basis.
+- Flag a single global consent toggle with no per-purpose granularity (analytics vs advertising vs personalization) as MEDIUM — purpose-bundled consent is not specific.
+- Flag consent records with no retention of timestamp, scope, and consent-string version as MEDIUM — without a consent record the controller cannot demonstrate compliance.
+- Flag advertising tags that send data to ad networks in non-EEA jurisdictions with no referenced transfer mechanism as MEDIUM.
+- Do not recommend disabling a tag without naming the marketing measurement it supports and the residual attribution loss.
+- Label every finding with evidence basis: configuration provided, policy text provided, documentation-based, or inference from missing config.
+
+## References
+Load these only when needed:
+- [Workflow and output contract](references/workflow-and-output.md) — use when executing the full review or formatting the final answer.
+
+## Response minimum
+Return, at minimum:
+- Consent-gating findings (tags firing before the consent signal)
+- Banner design assessment (symmetry, granularity, dark-pattern checks)
+- Opt-out / Global Privacy Control path assessment
+- Consent Mode / tag-manager wiring findings
+- Tracker-to-policy disclosure gap list
+- Cross-border transfer assessment
+- Severity-labelled finding list (critical / high / medium / low)
+- Safe next actions

package/skills/marketing/marketing-consent-data-collection-review/metadata.json

@@ -0,0 +1,21 @@
+{
+  "id": "marketing-consent-data-collection-review",
+  "name": "Marketing Consent and Data-Collection Review",
+  "type": "skill",
+  "provider": "marketing",
+  "harnesses": ["codex", "claude-code", "cursor", "gemini", "kiro", "other"],
+  "summary": "Review marketing consent and data-collection posture — CMP banner config, tag-manager containers, Consent Mode wiring, and cookie policy — for GDPR/ePrivacy/CCPA correctness, dark patterns, and undisclosed trackers.",
+  "source_type": "original",
+  "official_docs": [
+    "https://eur-lex.europa.eu/eli/reg/2016/679/oj",
+    "https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32002L0058",
+    "https://oag.ca.gov/privacy/ccpa",
+    "https://developers.google.com/tag-platform/security/guides/consent",
+    "https://iabeurope.eu/transparency-consent-framework/"
+  ],
+  "security_notes": "Marketing tags that fire before a consent signal collect personal data with no lawful basis and expose the controller to GDPR/ePrivacy enforcement and CCPA class actions. Consent banners with non-symmetric choice or pre-ticked boxes invalidate consent. Review works from sanitized configuration only; never request real visitor data, consent-string archives, or analytics account credentials.",
+  "last_verified": "2026-05-17",
+  "path": "skills/marketing/marketing-consent-data-collection-review",
+  "author": "github: Raishin",
+  "version": "0.1.0"
+}