Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Genealogy Agent
v1.0.1Extract, structure, research, and visualize family history from raw text. Builds knowledge graphs, generates Mermaid trees, Obsidian vaults, and GEDCOM exports.
⭐ 0· 32·0 current·0 all-time
byFlo@flobo3
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name/description align with the included scripts: extraction (extract.py), graph building, Mermaid/Obsidian generation, GEDCOM export, and autonomous research (research.py). The requested capabilities (LLM extraction and web search) are reasonable for genealogy. Minor mismatch: the manifest (skill.json) does not declare the LLM-related environment variables that the SKILL.md and scripts expect.
Instruction Scope
SKILL.md and scripts explicitly instruct the agent to call an LLM (litellm) and to perform web searches (duckduckgo_search) for 'auto-research'. That means user-provided PII (names, dates, places) will be sent to external LLM providers and queried against public websites. This behavior is consistent with the skill's stated 'Auto-Research' feature but is privacy-sensitive and should be highlighted to users.
Install Mechanism
This is instruction-only (no formal install spec) but SKILL.md tells users to install dependencies with the command `uv pip install pydantic litellm duckduckgo-search` and the manifest's tool commands use `uv run ...`. The 'uv' prefix is non-standard/unclear (likely a typo or dependency on an undocumented CLI). There is no declared install script or required binary named 'uv', which is an incoherence that could break execution or lead users to run unfamiliar commands.
Credentials
The code uses litellm and the SKILL.md tells users to set provider keys (OPENAI_API_KEY or GEMINI_API_KEY), but the skill metadata lists no required environment variables or primary credential. Asking for LLM API keys is proportionate to the stated functionality, but the manifest omission is misleading and increases the chance a user will inadvertently leak family PII to third-party LLMs without realizing the skill requires those keys.
Persistence & Privilege
The skill does not request persistent/always-on privileges (always:false), does not modify other skills, and has no declared system-wide config changes. It operates via invoked scripts and local file I/O only.
What to consider before installing
This skill appears to implement the genealogy features it claims, but take these precautions before installing: 1) Check the 'uv' usage — the SKILL.md and skill.json use `uv run` and `uv pip install`, which is unusual; confirm what 'uv' refers to or correct it to the intended commands (likely plain `python`/`pip` or a documented runner). 2) Expect the research tool to perform web searches and to send extracted context to whichever LLM provider you configure — do not supply API keys if you are unwilling to send private family data to third-party services. 3) The manifest does not declare required environment variables (OPENAI_API_KEY/GEMINI_API_KEY) — ask the author to list them explicitly in the skill metadata. 4) If you care about privacy, run the scripts locally in an isolated environment (air-gapped or without LLM keys) or remove/disable the research component before use. 5) Review the scripts yourself (they are small and included); they perform only local file writes and web searches via duckduckgo_search, with no obvious obfuscated code or external upload endpoints. If the author can clarify the 'uv' commands and update the metadata to declare LLM credentials, the skill would be more coherent and easier to trust.Like a lobster shell, security has layers — review code before you run it.
latestvk97a5xdaphk86g4abra7sbyk4d845d8p
License
MIT-0
Free to use, modify, and redistribute. No attribution required.