by 安全扫描
OpenClaw
可疑
medium confidenceNULL
评估建议
This skill appears to implement the genealogy features it claims, but take these precautions before installing: 1) Check the 'uv' usage — the SKILL.md and skill.json use `uv run` and `uv pip install`, which is unusual; confirm what 'uv' refers to or correct it to the intended commands (likely plain `python`/`pip` or a documented runner). 2) Expect the research tool to perform web searches and to send extracted context to whichever LLM provider you configure — do not supply API keys if you are un...详细分析 ▾
ℹ 用途与能力
Name/description align with the included scripts: extraction (extract.py), graph building, Mermaid/Obsidian generation, GEDCOM export, and autonomous research (research.py). The requested capabilities (LLM extraction and web search) are reasonable for genealogy. Minor mismatch: the manifest (skill.json) does not declare the LLM-related environment variables that the SKILL.md and scripts expect.
ℹ 指令范围
SKILL.md and scripts explicitly instruct the agent to call an LLM (litellm) and to perform web searches (duckduckgo_search) for 'auto-research'. That means user-provided PII (names, dates, places) will be sent to external LLM providers and queried against public websites. This behavior is consistent with the skill's stated 'Auto-Research' feature but is privacy-sensitive and should be highlighted to users.
⚠ 安装机制
This is instruction-only (no formal install spec) but SKILL.md tells users to install dependencies with the command `uv pip install pydantic litellm duckduckgo-search` and the manifest's tool commands use `uv run ...`. The 'uv' prefix is non-standard/unclear (likely a typo or dependency on an undocumented CLI). There is no declared install script or required binary named 'uv', which is an incoherence that could break execution or lead users to run unfamiliar commands.
⚠ 凭证需求
The code uses litellm and the SKILL.md tells users to set provider keys (OPENAI_API_KEY or GEMINI_API_KEY), but the skill metadata lists no required environment variables or primary credential. Asking for LLM API keys is proportionate to the stated functionality, but the manifest omission is misleading and increases the chance a user will inadvertently leak family PII to third-party LLMs without realizing the skill requires those keys.
✓ 持久化与权限
The skill does not request persistent/always-on privileges (always:false), does not modify other skills, and has no declared system-wide config changes. It operates via invoked scripts and local file I/O only.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv1.0.12026/4/3
NULL
● 可疑
安装命令
点击复制官方npx clawhub@latest install genealogy-agent
镜像加速npx clawhub@latest install genealogy-agent --registry https://cn.longxiaskill.com 镜像可用