GEDCOM Explorer

Security checks across malware telemetry and agentic risk

Overview

This is a local GEDCOM-to-HTML dashboard generator, with privacy considerations but no evidence of hidden credential use, destructive behavior, or data exfiltration.

Install/use this only for GEDCOM files you intend to process, and treat the generated HTML as private because it embeds family data. Avoid sharing or publicly hosting the output unless you have reviewed/redacted living-person details. For stricter privacy, remove or block the Google Fonts link and serve the file only from a dedicated local directory.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration

Findings (5)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 90% confidence
Finding: The skill instructs users to read a local GEDCOM file and write a generated HTML file, but the metadata shown here does not declare corresponding permissions. Undeclared file access weakens user consent and policy enforcement because the skill can handle potentially sensitive genealogy records and produce a shareable artifact without an explicit capability declaration.

Description-Behavior Mismatch

Medium

Confidence: 94% confidence
Finding: The generated HTML loads Google Fonts from an external domain, which causes user IP addresses, user agents, referrers, and access timing to be disclosed whenever the supposedly self-contained dashboard is opened. In a genealogy context, this is sensitive because the HTML embeds family-history data locally, so opening it can create an unintended third-party access signal tied to private family research.

Vague Triggers

Medium

Confidence: 81% confidence
Finding: Broad trigger phrases like 'family tree', 'ancestors', and 'family history dashboard' can cause the skill to activate in contexts where the user did not intend local file parsing or HTML generation. That increases the chance of unnecessary handling of sensitive personal genealogy data and accidental creation of an embedded, shareable output file.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill describes generating a self-contained HTML file with inline JSON from genealogy data but does not warn that the result bundles potentially sensitive family information into an easily copied and shared document. GEDCOM files often contain names, dates, places, and relationships for living or recently deceased people, so silent export into portable HTML creates meaningful privacy and data-leak risk.

Missing User Warnings

Medium

Confidence: 82% confidence
Finding: The tool exports a standalone HTML file containing extensive family-history data without any privacy notice, minimization, or consent checkpoint. Genealogy records commonly include sensitive personal data about living or recently deceased individuals, so users may unknowingly create a portable file that is easy to share, leak, or publish.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal