From openrouter-pack
Reviews OpenRouter integration for SOC2, GDPR, HIPAA compliance. Covers data handling, access control, audit trails, and provider routing for regulated data.
How this skill is triggered — by the user, by Claude, or both
Slash command
/openrouter-pack:openrouter-compliance-reviewThis skill is limited to the following tools:
The summary Claude sees in its skill listing — used to decide when to auto-load this skill
OpenRouter is a proxy that routes requests to upstream providers (OpenAI, Anthropic, Google, etc.). Compliance depends on both OpenRouter's data handling and the selected provider's policies. Key considerations: data transit through OpenRouter infrastructure, provider-specific data retention, model selection for regulated data, and audit trail requirements.
OpenRouter is a proxy that routes requests to upstream providers (OpenAI, Anthropic, Google, etc.). Compliance depends on both OpenRouter's data handling and the selected provider's policies. Key considerations: data transit through OpenRouter infrastructure, provider-specific data retention, model selection for regulated data, and audit trail requirements.
sk-or-v1-...) exported as OPENROUTER_API_KEY — see the openrouter-install-auth skill for setupcurl and jq to run the Compliance Audit Scriptsk-or-v1- keysdata_handling, access_control, audit_trail, and provider_selection — recording pass/fail per item.provider.order plus allow_fallbacks: False, then verify response.model confirms the approved provider actually served the request.GET /api/v1/auth/key, a free-tier warning (free tier is unsuitable for regulated data), and the hardcoded-key scan.COMPLIANCE_CHECKLIST = {
"data_handling": [
"Verify OpenRouter does NOT train on your data (confirmed in their privacy policy)",
"Confirm provider-level data policies (OpenAI, Anthropic, Google each differ)",
"Document data flow: your app -> OpenRouter -> provider -> OpenRouter -> your app",
"Identify if prompts contain PII, PHI, or regulated data",
"Implement PII redaction before sending to API",
],
"access_control": [
"Use per-service API keys (not shared keys)",
"Set credit limits per key to isolate blast radius",
"Rotate keys on a 90-day schedule",
"Store keys in secrets manager (not .env files in repos)",
"Enable management keys for programmatic key provisioning",
],
"audit_trail": [
"Log every API call with generation_id, model, user_id, cost",
"Hash prompts (SHA-256) instead of logging raw content",
"Retain audit logs per regulation (90d operational, 7yr financial)",
"Ship logs to append-only storage (S3, immutable DB)",
],
"provider_selection": [
"Route regulated data only to compliant providers",
"Use provider routing to exclude non-compliant providers",
"Document which models are approved for which data classifications",
"Test that fallback routing doesn't route to unapproved providers",
],
}
import os
from openai import OpenAI
client = OpenAI(
base_url="https://openrouter.ai/api/v1",
api_key=os.environ["OPENROUTER_API_KEY"],
default_headers={"HTTP-Referer": "https://my-app.com", "X-Title": "my-app"},
)
# Route ONLY to specific providers (e.g., Anthropic for SOC2)
response = client.chat.completions.create(
model="anthropic/claude-3.5-sonnet",
messages=[{"role": "user", "content": "Analyze this contract..."}],
max_tokens=2048,
extra_body={
"provider": {
"order": ["Anthropic"], # Only Anthropic's infrastructure
"allow_fallbacks": False, # Do NOT fall back to other providers
},
},
)
# Verify which provider actually served the request
print(f"Served by: {response.model}") # Should match anthropic/claude-3.5-sonnet
| Classification | Allowed Providers | Controls |
|---|---|---|
| Public | Any (including :free) | Standard logging |
| Internal | Tier 1 (OpenAI, Anthropic, Google) | Audit logging, key limits |
| Confidential | Anthropic, OpenAI (API-only) | PII redaction, no free models |
| Restricted/PHI | BYOK only or self-hosted | Full audit, encryption at rest |
# Bring Your Own Key -- requests go directly to provider
# OpenRouter acts as router only; data doesn't persist on OpenRouter
response = client.chat.completions.create(
model="openai/gpt-4o",
messages=[{"role": "user", "content": "Process this..."}],
max_tokens=1024,
extra_body={
"provider": {
"order": ["OpenAI"],
"allow_fallbacks": False,
},
},
# With BYOK, configure your provider key in OpenRouter dashboard
# Data flows: your app -> OpenRouter (routing only) -> OpenAI (your account)
)
#!/bin/bash
echo "=== OpenRouter Compliance Audit ==="
# 1. Verify API key has credit limit set
echo "1. Key configuration:"
curl -s https://openrouter.ai/api/v1/auth/key \
-H "Authorization: Bearer $OPENROUTER_API_KEY" | \
jq '{label: .data.label, limit: .data.limit, is_free_tier: .data.is_free_tier}'
# 2. Check if using free tier (not suitable for regulated data)
IS_FREE=$(curl -s https://openrouter.ai/api/v1/auth/key \
-H "Authorization: Bearer $OPENROUTER_API_KEY" | jq -r '.data.is_free_tier')
[ "$IS_FREE" = "true" ] && echo "WARNING: Free tier. Not suitable for regulated data."
# 3. Scan for hardcoded keys in source
FOUND=$(grep -r "sk-or-v1-" --include="*.py" --include="*.ts" --include="*.js" . 2>/dev/null | grep -v node_modules | wc -l)
echo "Hardcoded keys found: $FOUND"
label, limit, is_free_tier) plus a free-tier warning and a count of hardcoded keys found in source, from the Compliance Audit Scriptprovider.order + allow_fallbacks: False) that cannot route regulated data to unapproved providersRunning run_compliance_review() from the references against a healthy integration:
Compliance: 5/5 passed, 0 failed, 0 warnings
[OK] api_key_storage: Key loaded from environment variable
[OK] https_enforcement: HTTPS enforced
[OK] max_tokens: max_tokens set to 500
[OK] error_handling: Error handling present
[OK] audit_logging: Audit logging configured
Any [FAIL] line maps to a checklist item above — fix it and re-run until clean. More worked examples: references/examples.md.
| Error | Cause | Fix |
|---|---|---|
| Request routed to unapproved provider | allow_fallbacks: true (default) | Set allow_fallbacks: false with explicit order |
| Key exposed in logs | Raw API key logged | Add PII redaction for sk-or-v1-* pattern |
| No audit trail for request | Logging middleware bypassed | Make audit logging a required wrapper |
| Free model used for regulated data | No model allowlist | Implement model allowlist in client wrapper |
provider.order + allow_fallbacks: false to guarantee data only flows to approved providersnpx claudepluginhub pw00kt/fuzzy-sniffle --plugin openrouter-pack2plugins reuse this skill
First indexed Jul 18, 2026
Reviews OpenRouter integration for SOC2, GDPR, HIPAA compliance. Covers data handling, access control, audit trails, and provider routing for regulated data.
Audits AI agents and LLM apps for regulatory compliance across EU AI Act, GDPR, NIST AI RMF, HIPAA, ISO 42001, and more. Scans codebases for gaps, cross-references Arize instrumentation, and produces actionable remediation checklists.
Audits software systems for compliance with GDPR, HIPAA, SOC2, PCI-DSS. Generates gap analysis, implementation plans, policy templates, and monitoring scripts.