// EU AI Act compliance, OWASP LLM security, responsible AI practices for parliamentary data and MCP server applications
| name | ai-governance |
| description | EU AI Act compliance, OWASP LLM security, responsible AI practices for parliamentary data and MCP server applications |
| license | MIT |
This skill applies when:
This skill focuses on governance of AI systems consuming EP data, distinct from the ai-development-governance skill which covers AI-assisted code development practices. Parliamentary data used by LLMs carries unique risks around political bias, misinformation, and democratic integrity.
/**
* Sanitize EP data before returning through MCP tools.
* Prevents prompt injection when data flows into LLM contexts.
*/
function sanitizeForLLMContext(text: string): string {
return text
.replace(/[\x00-\x08\x0B\x0C\x0E-\x1F]/g, '') // Control characters
.replace(/\bSYSTEM\s*:/gi, '[FILTERED]') // Instruction patterns
.replace(/\bASSISTANT\s*:/gi, '[FILTERED]')
.replace(/\bIGNORE\s+PREVIOUS/gi, '[FILTERED]')
.trim();
}
function createMCPResponse(data: unknown, toolName: string) {
return {
content: [{
type: "text",
text: JSON.stringify({
data,
_metadata: {
source: "European Parliament Open Data Portal",
sourceUrl: "https://data.europarl.europa.eu/",
retrievedAt: new Date().toISOString(),
tool: toolName,
disclaimer: "Official EU parliamentary records. Verify critical information at europarl.europa.eu.",
},
}, null, 2),
}],
};
}
| MCP Tool | EU AI Act Risk | Justification |
|------------------------|----------------|--------------------------------------------------|
| search_meps | Limited | Returns public official records |
| get_voting_records | Limited | Factual voting data, public record |
| analyze_voting_patterns| High | Generates political analysis, bias risk |
| get_mep_contacts | Limited | Contains personal data, GDPR applies |
// Audit checklist for MCP tool security
const owaspLLMChecklist = {
'LLM01_PromptInjection': 'Output sanitization applied to all EP data',
'LLM02_InsecureOutput': 'JSON schema validation on all responses',
'LLM03_TrainingDataPoisoning': 'N/A — server does not train models',
'LLM04_ModelDoS': 'Rate limiting enforced per MCP client',
'LLM05_SupplyChain': 'Dependency scanning via OSSF Scorecard',
'LLM06_SensitiveData': 'GDPR minimization for MEP personal data',
'LLM07_InsecurePlugin': 'Input validation on all tool parameters',
'LLM08_ExcessiveAgency': 'Read-only tools, no write operations',
'LLM09_Overreliance': 'Disclaimer and source attribution included',
'LLM10_ModelTheft': 'N/A — server does not host models',
};
// NEVER pass raw EP data directly without sanitization
return { content: [{ type: "text", text: rawApiResponse }] };
// NEVER return data without source attribution
return { content: [{ type: "text", text: JSON.stringify(votes) }] };
// LLM cannot cite or verify the source
// NEVER add sentiment or editorial language to factual data
return {
text: `MEP ${name} controversially voted against the popular climate bill...`
// "controversially" and "popular" are editorial, not factual
};
Primary:
Related:
C4 architecture model, security architecture, Mermaid diagrams, SECURITY_ARCHITECTURE.md, and comprehensive documentation per Hack23 Secure Development Policy
AI-augmented development controls, GitHub Copilot governance, LLM security, AI-generated code review per Hack23 Secure Development Policy
Enforce code quality with ESLint, TypeScript strict mode, Knip unused detection, and quality gates for MCP servers
ISO 27001, NIST CSF 2.0, CIS Controls v8.1, EU CRA compliance mapping, multi-standard alignment per Hack23 ISMS policies
Contribution process with PR workflow, code review standards, commit conventions, and open source best practices
Clear technical documentation with JSDoc, READMEs, Mermaid diagrams, ISMS policy references, and comprehensive code examples