Skillv1.0.3

ClawScan security

Familysearch · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignFeb 26, 2026, 8:33 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's code, instructions, and requirements align with its genealogy purpose (FamilySearch API + GEDCOM parsing); nothing in the files indicates unexpected credential access or hidden network endpoints.
Guidance: This skill appears to do what it claims: call FamilySearch APIs (when you provide an OAuth token) and parse GEDCOM files you point it at. Before installing or running it, consider: (1) only provide a FAMILYSEARCH_TOKEN if you trust the skill and want live API lookups — the token will be used to call api.familysearch.org; (2) GEDCOM mode reads local files you specify, so don't point it at sensitive non-gedcom files; (3) the script uses the macOS 'security' tool as a convenience to read Keychain entries if available — it only tries that when no env var is set; (4) inspect the included scripts yourself (they are small and plain Python) if you have doubts. If you do not want the skill to access live FamilySearch data, simply use it in offline GEDCOM mode without setting FAMILYSEARCH_TOKEN.

Purpose & Capability: okName/description match the included scripts and SKILL.md. The Python scripts implement FamilySearch API calls and an offline GEDCOM parser, which are appropriate for the stated genealogy functionality.
Instruction Scope: okSKILL.md instructs only FamilySearch OAuth token storage/retrieval and GEDCOM file usage. The runtime instructions and scripts operate on the FamilySearch API endpoints and user-supplied GEDCOM files; they do not attempt to read arbitrary system files or call unexpected external endpoints.
Install Mechanism: okNo install spec; this is instruction-plus-script only. No external downloads or package installs are requested, so nothing is written to disk beyond running the included scripts.
Credentials: noteNo required environment vars are declared in the registry metadata. The SKILL.md documents an optional FAMILYSEARCH_TOKEN env var and macOS Keychain storage for tokens, and the script checks FAMILYSEARCH_TOKEN (and keychain as a fallback). This is proportionate to API mode. Minor inconsistency: SKILL.md mentions storing an app key and token; the included script only attempts to fetch the token from the environment or macOS Keychain (it does not perform a client-secret exchange locally).
Persistence & Privilege: okSkill is not force-included (always: false) and does not request elevated platform privileges or modify other skills. It can be invoked by the agent, which is expected behavior for skills.