GEDCOM Explorer
ReviewAudited by ClawScan on May 10, 2026.
Overview
Prompt-injection indicators were detected in the submitted artifacts (unicode-control-chars); human review is required before treating this skill as clean.
This looks reasonable for local GEDCOM visualization. Before using it, remember that the output HTML contains the family data from your GEDCOM file, avoid sharing or broadly serving that file, and run the script only on files and paths you trust. ClawScan detected prompt-injection indicators (unicode-control-chars), so this skill requires review even though the model response was benign.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If run with the wrong paths or on an untrusted GEDCOM file, it can process private data and create or overwrite an output HTML file.
The skill is invoked through a local Python command that reads a user-specified GEDCOM file and writes an HTML output file. This is central to the stated purpose, but it does give the script local file read/write authority over the paths the user supplies.
python3 scripts/build_explorer.py <input.ged> [output.html] [--title "Title"] [--subtitle "Subtitle"]
Run it only on GEDCOM files you intend to process, choose an output path you control, and keep a backup if writing over an existing HTML file.
Anyone who receives or can open the generated HTML may be able to view the family-history data embedded in it.
The generated HTML persists the GEDCOM's people, family relationships, dates, and places inside one portable file. That is disclosed and purpose-aligned, but GEDCOM data can be sensitive.
extracts all individuals + families, computes stats, and embeds everything as inline JSON in a single HTML file
Treat the output HTML as private data; avoid sharing it publicly and consider redacting living people before generating a dashboard.
The dashboard and other files in the served directory could be reachable outside the intended browser session if the server is accessible on the local network.
The optional serving instructions start a simple web server for the output directory. This is user-directed, but it can expose files in that directory beyond just the dashboard depending on host and network settings.
python3 -m http.server 8899 # Open http://localhost:8899/family-explorer.html
If you serve the file, use a dedicated output directory and bind to localhost, for example: `python3 -m http.server 8899 --bind 127.0.0.1`.
Users must rely on the packaged artifacts rather than an independently verifiable project page.
The skill does not provide an upstream source or homepage, so users have less external provenance information for the included Python script.
Source: unknown Homepage: none
Review the included script before first use if provenance matters, and run it in a directory containing only the files you intend to use.