一键在 Manus 中运行任何 Skill

generate-eu-ai-act-system-card

星标0

分支0

更新时间2026年4月14日 00:03

Generates a per-service EU AI Act system card documenting AI tool usage, risk classification, human oversight mechanisms, and limitations. Use for any service where AI tools contribute to code generation, decision support, or automated processing — especially before the August 2026 EU AI Act deadline. Use when dark-code-audit flags AI-heavy services, when preparing a compliance package for a regulator or enterprise customer, or when the organization needs to document its AI practices. Reads MODULE_MANIFEST.md and BEHAVIORAL_CONTRACTS.md, conducts a structured interview, and writes docs/compliance/eu-ai-act-system-card-<service>-YYYY-MM-DD.md. Invoke as /generate-eu-ai-act-system-card path/to/service or with --risk-level limited|general|high.

安装

用 Codex 或 Claude 帮你安装复制这段 Prompt，粘贴到 Codex、Claude 或其他助手里，让它检查 Skill 页面并帮你完成安装。

在 Manus 中运行

来源

az9713

az9713/dark-code-skills

打开 GitHub 仓库查看创作者相关仓库

下载

在 Manus 中运行

/generate-eu-ai-act-system-card

Generates a per-service EU AI Act system card. The August 2026 deadline applies to organizations operating AI systems in the EU — documentation requirements vary by risk level but the practice of documenting AI usage is good hygiene regardless.

What a system card is and why it matters

The EU AI Act requires organizations to maintain technical documentation for AI systems describing: intended purpose, capabilities and limitations, data used, performance metrics, human oversight mechanisms, and identified risks. For most teams using AI-assisted code generation, the obligation attaches not to the LLM tool itself but to what the service does with AI assistance — especially if AI contributes to decisions that affect users.

A system card answers the question: "If a regulator asked how AI is used in this service, what would you tell them?" Writing it before you're asked forces an honest accounting of AI usage and identifies oversight gaps before they become compliance problems.

Arguments

path/to/service — required; the service directory to document
--risk-level limited|general|high — optional; if omitted, ask the user

Phase 1: Read context files

Read MODULE_MANIFEST.md and BEHAVIORAL_CONTRACTS.md from the target service directory (and parent directories if the service has sub-modules). Extract:

Service purpose and scope
Data types processed (data classification fields)
External services and dependencies
Owner / responsible team
Any existing AI-related notes

If no MODULE_MANIFEST.md exists for the service, say so before proceeding:

No MODULE_MANIFEST.md found for [service]. I can still generate a system card from the
interview, but the documentation will be less complete. Consider running
/context-layer-generator on this service first.

Continue anyway? (yes/no)

Phase 2: Determine risk classification

If --risk-level was provided, use it. Otherwise, present the classification framework:

EU AI Act risk classifications:

PROHIBITED — systems banned entirely (manipulation, social scoring, real-time biometric surveillance)
HIGH-RISK — specific sectors: biometric ID, critical infrastructure, education/employment decisions,
            essential services, law enforcement, migration, justice (requires conformity assessment)
LIMITED RISK — chatbots, deepfakes, emotion recognition (transparency obligations)
MINIMAL/NO RISK — most software tools, code generation, recommendation systems

For this service ([service name]):
- If AI contributes to employment or hiring decisions → likely HIGH-RISK
- If AI contributes to credit, insurance, or benefits decisions → likely HIGH-RISK  
- If AI is used for code generation, testing, or internal tooling → likely MINIMAL RISK
- If the service exposes an AI chatbot to users → likely LIMITED RISK

What is the risk classification for [service name]?

Note: the classification of the tool (e.g., the LLM) and the classification of the service may differ. A minimal-risk code generation tool can produce a high-risk system. Document what the service does, not what model it uses.

Phase 3: Interview

Ask these questions. Phrase them plainly — the answers go into a document that a non-technical regulator may read:

AI usage:

Which AI tools are used in [service name] and for what purpose? (Code generation / content generation / decision support / automated processing / other)
Are AI tools making or contributing to decisions that directly affect users — approvals, rejections, rankings, recommendations? If yes, what decisions?
Is there a human review step before AI-assisted decisions are applied to users?
Can the service's AI-assisted behavior be explained to an affected user on request?

Performance: 5. How was the AI-assisted functionality tested before deployment? 6. Are there known cases where the AI produces incorrect, biased, or unexpected outputs? 7. What monitoring is in place to detect degraded AI performance in production?

Human oversight: 8. Can a human override or reverse an AI-assisted decision? How? 9. Is there a process for users to request human review of an AI-assisted decision? 10. Who is accountable for monitoring this system's AI behavior?

Incident history: 11. Has the AI produced incorrect, unexpected, or harmful outputs in this service? If yes, what happened and what safeguards were added?

If the user can't answer a question, mark it [OPEN QUESTION — requires input from responsible party].

Phase 4: Write the system card

Write to docs/compliance/eu-ai-act-system-card-<service-name>-YYYY-MM-DD.md. Derive <service-name> from the directory name — strip path separators, use hyphens.

# EU AI Act System Card: [Service Name]

**Risk classification:** [Minimal / Limited / High]  
**Regulation basis:** EU Artificial Intelligence Act, [relevant articles for risk level]  
**Last updated:** [today's date]  
**Responsible party:** [owner from MODULE_MANIFEST.md, or from interview]  
**Status:** DRAFT — requires legal review

> **This document was generated from code context files and a structured interview. It requires
> legal review before use as an EU AI Act compliance document.** EU AI Act obligations vary
> significantly by risk classification and use case. Engage legal counsel with EU AI Act expertise
> before submitting this as compliance documentation.

---

## 1. System Description

### Intended purpose
[What the service does and why AI is used in it — from MODULE_MANIFEST.md purpose + interview]

### AI tools used
[Which AI tools, for what purpose, at what stage of the workflow — from interview Q1]

### Capabilities
[What the AI-assisted parts of the service can do]

### Limitations
[Known limitations, failure modes, edge cases — from interview Q6]

---

## 2. Data

### Input data
[What data is provided to AI tooling — from MODULE_MANIFEST.md data classification and interview]

### Output data
[What the AI produces — from BEHAVIORAL_CONTRACTS.md and interview]

### Training data (if applicable)
[If a custom or fine-tuned model is used: what data was it trained on. If using a third-party model: note that training data is governed by the model provider's documentation.]

---

## 3. Performance

### Evaluation methodology
[How AI-assisted functionality was tested before deployment — from interview Q5]

### Known performance gaps
[Cases where the system is known to perform poorly — from interview Q6]

### Monitoring in place
[How ongoing performance is tracked — from interview Q7]

---

## 4. Human Oversight

### Override mechanism
[Can a human reverse AI-assisted decisions? How? — from interview Q8]

### User recourse
[Can affected users request human review? — from interview Q9]

### Responsible personnel
[Who monitors this system and is accountable for its behavior — from interview Q10]

---

## 5. Risk Assessment

### Risks identified before deployment
[What risks were identified before deployment]

### Mitigations in place
[What safeguards address each risk]

### Residual risks
[Risks that were identified but not fully mitigated]

---

## 6. Incident Log

[Summary of any AI-related incidents, outcomes, and remediation steps — from interview Q11.
If none: "No AI-related incidents recorded as of [date]."]

---

## 7. Open Questions

[Fields that could not be populated — require input from responsible party or legal review before
this document is considered complete]

After writing

Report:

Service name and risk classification documented
How many open questions remain
Whether MODULE_MANIFEST.md was available (affects completeness)
Path to the generated file

If the risk classification is HIGH-RISK, note explicitly:

HIGH-RISK classification: This service may require a conformity assessment under the EU AI Act.
Conformity assessments for high-risk AI systems require a notified body in some cases. 
Legal review of the classification and assessment requirements is strongly recommended.

同仓库更多 Skills

同仓库

comprehension-gate

az9713/dark-code-skills

Runs a seven-dimension comprehension review on a code change before it ships: credential exposure, cross-service side effects, blast radius, state/persistence mismatch (the Kiro pattern — AI treating persistent infrastructure as ephemeral), token TTL management, implicit assumptions, and whether the change would be explainable by the person shipping it. Produces a COMPREHENSION_ARTIFACT.md with a findings table and a CLEAR / REVIEW REQUIRED / HOLD verdict. Use this skill before merging any AI-generated code, before any change that touches shared resources (Redis, shared databases, message queues), before changes to auth flows or token handling, when reviewing code for dark code risk, or any time you hear "check blast radius", "review for comprehension", "is this safe to ship", "comprehension gate", "pre-merge review", or "will this cause an incident". This skill catches system-level failures that linters, type checkers, and unit tests cannot detect.

2026-04-140

context-layer-generator

az9713/dark-code-skills

Generates three context layer artifacts for a code module: MODULE_MANIFEST.md (structural map — where things connect), BEHAVIORAL_CONTRACTS.md (semantic contracts — what each interface guarantees), and DECISION_LOG.md (philosophical record — why decisions were made, with explicit warnings about what breaks if reversed). Use this skill whenever working on a module that lacks documentation, when the original author has left, before an AI agent modifies an unfamiliar module, when documenting a module after onboarding, when a codebase audit flagged missing context layers, or any time you hear phrases like "document this module", "make this self-describing", "build context layers", "preserve knowledge before the author leaves", or "what does this module do". This skill is especially important for AI-generated code that was never explained by anyone.

2026-04-140

dark-code-audit

az9713/dark-code-skills

Audits a codebase for dark code risk: code that was generated, passed automated checks, and shipped without anyone understanding it. Produces a structured audit report with a hotspot map, comprehension debt scorecard (spec coverage %, context layer coverage %, review depth), ownership gap analysis, top failure scenarios, and a prioritized action plan. Use this skill before a security review, compliance review, or major refactor; when new engineers join and the codebase feels opaque; after a period of high AI-assisted development velocity; quarterly as a health check; or any time you hear "audit for dark code", "comprehension debt", "dark code risk", "what do we not understand about this codebase", "knowledge gap analysis", "who owns what", or "we've been shipping AI code really fast lately". This skill does not recommend "add more monitoring" — it identifies where human comprehension is missing and prescribes structural fixes.

2026-04-140

dark-code-suite-init

az9713/dark-code-skills

Sets up a project to use the full dark code prevention suite in one step: creates the .claude/comprehension/ directory for comprehension artifacts, adds a ## Dark Code Prevention section to CLAUDE.md (or creates CLAUDE.md if missing), creates docs/dark-code-audit/ for audit reports, and runs an initial dark-code-audit to baseline the project's current comprehension debt. Use this skill when starting to use the dark code suite on a new project, when onboarding a codebase to dark code prevention practices, or any time you hear "set up dark code prevention", "initialize the dark code suite", "add comprehension gate to this project", or "how do I start with dark code practices here".

2026-04-140

generate-data-lineage

az9713/dark-code-skills

Assembles a data flow narrative from MODULE_MANIFEST.md and BEHAVIORAL_CONTRACTS.md context files, answering the explainability question: "What does the system do with [data type] for [user journey]?" Use before a compliance or security review, when a dark-code-audit flags "Explainability: Partial", when onboarding a new engineer who needs to understand data flows, or when preparing for GDPR, EU AI Act, or SOC 2 review. Reads context layers across the codebase, interviews for gaps, and writes docs/data-lineage/YYYY-MM-DD-<name>.md with a confidence rating. Invoke as: /generate-data-lineage (all PII-touching flows in the codebase) /generate-data-lineage --journey user-signup (specific user journey) /generate-data-lineage --module path/to/mod (flows for a specific module) /generate-data-lineage --type payment (specific data type)

2026-04-140

generate-gdpr-ropa

az9713/dark-code-skills

Generates a draft GDPR Article 30 Record of Processing Activities (ROPA) from MODULE_MANIFEST.md and BEHAVIORAL_CONTRACTS.md context files. Use when preparing for a GDPR audit, when a dark-code-audit flags PII-handling services with incomplete documentation, or when building a compliance package. Reads context layers across the codebase, groups them into logical processing activities, auto-populates what it can, and interviews the user for fields that require human judgment (legal basis, purpose, international transfers). Writes docs/compliance/gdpr-ropa-YYYY-MM-DD.md. Invoke as /generate-gdpr-ropa or /generate-gdpr-ropa --module path/to/module for a single module entry.

2026-04-140

name

generate-eu-ai-act-system-card

description

/generate-eu-ai-act-system-card

What a system card is and why it matters

Arguments

path/to/service — required; the service directory to document
--risk-level limited|general|high — optional; if omitted, ask the user

Phase 1: Read context files

Read MODULE_MANIFEST.md and BEHAVIORAL_CONTRACTS.md from the target service directory (and parent directories if the service has sub-modules). Extract:

Service purpose and scope
Data types processed (data classification fields)
External services and dependencies
Owner / responsible team
Any existing AI-related notes

If no MODULE_MANIFEST.md exists for the service, say so before proceeding:

No MODULE_MANIFEST.md found for [service]. I can still generate a system card from the
interview, but the documentation will be less complete. Consider running
/context-layer-generator on this service first.

Continue anyway? (yes/no)

Phase 2: Determine risk classification

If --risk-level was provided, use it. Otherwise, present the classification framework:

EU AI Act risk classifications:

PROHIBITED — systems banned entirely (manipulation, social scoring, real-time biometric surveillance)
HIGH-RISK — specific sectors: biometric ID, critical infrastructure, education/employment decisions,
            essential services, law enforcement, migration, justice (requires conformity assessment)
LIMITED RISK — chatbots, deepfakes, emotion recognition (transparency obligations)
MINIMAL/NO RISK — most software tools, code generation, recommendation systems

For this service ([service name]):
- If AI contributes to employment or hiring decisions → likely HIGH-RISK
- If AI contributes to credit, insurance, or benefits decisions → likely HIGH-RISK  
- If AI is used for code generation, testing, or internal tooling → likely MINIMAL RISK
- If the service exposes an AI chatbot to users → likely LIMITED RISK

What is the risk classification for [service name]?

Phase 3: Interview

Ask these questions. Phrase them plainly — the answers go into a document that a non-technical regulator may read:

AI usage:

Which AI tools are used in [service name] and for what purpose? (Code generation / content generation / decision support / automated processing / other)
Are AI tools making or contributing to decisions that directly affect users — approvals, rejections, rankings, recommendations? If yes, what decisions?
Is there a human review step before AI-assisted decisions are applied to users?
Can the service's AI-assisted behavior be explained to an affected user on request?

Incident history: 11. Has the AI produced incorrect, unexpected, or harmful outputs in this service? If yes, what happened and what safeguards were added?

If the user can't answer a question, mark it [OPEN QUESTION — requires input from responsible party].

Phase 4: Write the system card

Write to docs/compliance/eu-ai-act-system-card-<service-name>-YYYY-MM-DD.md. Derive <service-name> from the directory name — strip path separators, use hyphens.

# EU AI Act System Card: [Service Name]

**Risk classification:** [Minimal / Limited / High]  
**Regulation basis:** EU Artificial Intelligence Act, [relevant articles for risk level]  
**Last updated:** [today's date]  
**Responsible party:** [owner from MODULE_MANIFEST.md, or from interview]  
**Status:** DRAFT — requires legal review

> **This document was generated from code context files and a structured interview. It requires
> legal review before use as an EU AI Act compliance document.** EU AI Act obligations vary
> significantly by risk classification and use case. Engage legal counsel with EU AI Act expertise
> before submitting this as compliance documentation.

---

## 1. System Description

### Intended purpose
[What the service does and why AI is used in it — from MODULE_MANIFEST.md purpose + interview]

### AI tools used
[Which AI tools, for what purpose, at what stage of the workflow — from interview Q1]

### Capabilities
[What the AI-assisted parts of the service can do]

### Limitations
[Known limitations, failure modes, edge cases — from interview Q6]

---

## 2. Data

### Input data
[What data is provided to AI tooling — from MODULE_MANIFEST.md data classification and interview]

### Output data
[What the AI produces — from BEHAVIORAL_CONTRACTS.md and interview]

### Training data (if applicable)
[If a custom or fine-tuned model is used: what data was it trained on. If using a third-party model: note that training data is governed by the model provider's documentation.]

---

## 3. Performance

### Evaluation methodology
[How AI-assisted functionality was tested before deployment — from interview Q5]

### Known performance gaps
[Cases where the system is known to perform poorly — from interview Q6]

### Monitoring in place
[How ongoing performance is tracked — from interview Q7]

---

## 4. Human Oversight

### Override mechanism
[Can a human reverse AI-assisted decisions? How? — from interview Q8]

### User recourse
[Can affected users request human review? — from interview Q9]

### Responsible personnel
[Who monitors this system and is accountable for its behavior — from interview Q10]

---

## 5. Risk Assessment

### Risks identified before deployment
[What risks were identified before deployment]

### Mitigations in place
[What safeguards address each risk]

### Residual risks
[Risks that were identified but not fully mitigated]

---

## 6. Incident Log

[Summary of any AI-related incidents, outcomes, and remediation steps — from interview Q11.
If none: "No AI-related incidents recorded as of [date]."]

---

## 7. Open Questions

[Fields that could not be populated — require input from responsible party or legal review before
this document is considered complete]

After writing

Report:

Service name and risk classification documented
How many open questions remain
Whether MODULE_MANIFEST.md was available (affects completeness)
Path to the generated file

If the risk classification is HIGH-RISK, note explicitly:

HIGH-RISK classification: This service may require a conformity assessment under the EU AI Act.
Conformity assessments for high-risk AI systems require a notified body in some cases. 
Legal review of the classification and assessment requirements is strongly recommended.