Awesome-omni-skill privgraph
Privacy and security annotation for Mermaid diagrams. Use this skill when: (1) a user shares or creates a Mermaid flowchart or sequence diagram and asks for privacy, security, or compliance review, (2) a user asks to annotate a diagram with data classifications, controls, trust boundaries, or compliance scope, (3) a user mentions 'privgraph', '@pg:', or 'risk-informed diagram', (4) a user asks about data flow risks, missing controls, or GDPR/HIPAA/PCI compliance gaps in an architecture diagram, (5) a user is writing a design doc with Mermaid diagrams and wants privacy/security feedback embedded in the diagram itself. Do NOT use for general Mermaid syntax help, diagram styling, or non-security topics.
git clone https://github.com/diegosouzapw/awesome-omni-skill
T=$(mktemp -d) && git clone --depth=1 https://github.com/diegosouzapw/awesome-omni-skill "$T" && mkdir -p ~/.claude/skills && cp -r "$T/skills/development/privgraph" ~/.claude/skills/diegosouzapw-awesome-omni-skill-privgraph && rm -rf "$T"
skills/development/privgraph/SKILL.mdPrivGraph: Mermaid Security & Privacy Annotation
PrivGraph annotates Mermaid diagrams with privacy and security metadata using comment-based directives, then evaluates configurable rules to surface control gaps.
Core Workflow
When a user presents a Mermaid diagram for privacy/security review:
- Parse the diagram — identify nodes, edges, subgraphs, and any existing
annotations@pg: - Classify — determine what data flows where (direct identifiers, health data, credentials, etc.)
- Annotate — add
directives as Mermaid comments for data classes, controls, boundaries, compliance@pg: - Evaluate — check the annotated diagram against the rule set (see
)references/rules.yaml - Report — surface findings with severity, description, and remediation guidance
When a user asks to create a new annotated diagram from scratch, follow steps 2–5 after helping them build the diagram.
Annotation Syntax
All annotations are Mermaid comments and do not affect rendering:
%% @pg:<directive> <target> <parameters>
Directives
— classify data on a flow@pg:data-class
%% @pg:data-class A-->B DIRECT_ID, LOCATION
— declare present or missing (@pg:control
!%% @pg:control UserDB encrypted-at-rest, access-controlled %% @pg:control UserDB !retention-policy %% @pg:control A-->B encrypted-in-transit
— declare trust boundary crossing on a flow@pg:boundary
%% @pg:boundary A-->B third-party
— declare applicable compliance frameworks@pg:compliance
%% @pg:compliance UserDB GDPR, CCPA
— suppress a rule finding with justification@pg:risk-accept
%% @pg:risk-accept Cache PG-003 "24hr TTL enforced at Redis level. Approved 2024-01-10"
— diagram-level metadata@pg:meta
%% @pg:meta owner "platform-team" %% @pg:meta system "checkout-service" %% @pg:meta reviewed "2024-01-15"
Data Classifications
| Classification | Description | Examples |
|---|---|---|
| Direct identifiers | Names, emails, SSNs, phone numbers |
| Indirect/pseudonymous identifiers | Opaque IDs, UUIDs, session tokens, pseudonyms |
| Protected health information | EHR, Diagnoses, prescriptions, lab results |
| Payment card data | Card numbers, CVVs |
| Authentication secrets | Passwords, API keys, tokens |
| Biometric data | Fingerprints, face data, voice prints |
| Location data | GPS coordinates, IP-derived location |
| Financial data | Bank accounts, transactions |
| Other sensitive data | Catch-all for sensitive categories |
| Non-sensitive data | Public content, marketing copy |
Controls
encrypted-at-restencrypted-in-transitaccess-controlledaudit-loggedretention-policyanonymizedminimizedconsent-manageddpa-in-placePrefix with
!Boundaries
internalthird-partycross-regioncross-cloudpublic-internetuser-deviceCompliance Frameworks
GDPRCCPAHIPAAPCI-DSSSOC2FERPARule Evaluation
After annotating, evaluate the diagram against the rule set. Load
references/rules.yaml| Rule | Sev | Trigger |
|---|---|---|
| PG-001 | HIGH | DIRECT_ID/INDIRECT_ID/PHI flow missing |
| PG-002 | HIGH | DIRECT_ID/INDIRECT_ID/PHI node missing |
| PG-003 | MED | Sensitive data node missing |
| PG-004 | HIGH | CREDENTIALS flow missing encryption |
| PG-005 | CRIT | DIRECT_ID to |
| PG-006 | HIGH | PHI to |
| PG-007 | MED | |
| PG-008 | HIGH | HIPAA-scoped flow missing |
| PG-009 | MED | GDPR-scoped node missing |
| PG-010 | LOW | Flow crosses boundary with no controls documented |
| PG-011 | INFO | Node has zero controls documented |
For each violation, check if a
@pg:risk-acceptReporting Format
Present findings grouped by severity. Use this structure:
## PrivGraph Review: [system name or file] ### Findings 🔴 **CRITICAL — PG-005: Direct Identifiers to Third Party Without DPA** Flow: UserSvc → Analytics DIRECT_ID is transferred to a third party without a documented DPA. → Add: `%% @pg:control Analytics dpa-in-place` 🟡 **HIGH — PG-001: Unencrypted Identifier Transfer** Flow: Mobile → API DIRECT_ID transferred without encryption in transit. → Add: `%% @pg:control Mobile-->API encrypted-in-transit` ### Summary X critical, Y high, Z medium | N findings suppressed by @pg:risk-accept
Always output the complete annotated diagram (original diagram with all
@pg:Handling Ambiguity
When data classifications are unclear from the diagram alone:
- Ask the user what data flows through ambiguous edges
- Default to the more sensitive classification when context suggests it
- Flag uncertain classifications with a comment:
%% TODO: Confirm data classification for A-->B
When a diagram has no annotations yet, annotate it fully rather than just listing what's missing. Show the user what a complete annotation looks like.
Supported Diagram Types
- Flowcharts:
— nodes, edges, subgraphs all supportedflowchart LR/TB/etc. - Sequence diagrams:
— participants map to nodes, messages map to edges, boxes map to subgraphssequenceDiagram
For annotation target syntax in sequence diagrams, use participant names:
%% @pg:data-class Client->>Server DIRECT_IDExamples
See
examples/flowchart-annotated.mdexamples/sequence-annotated.md