familysearch

This skill's stated purpose (read-only FamilySearch access, GEDCOM export, record/memory download) matches the documented capabilities. There is no direct evidence in the provided documentation of active malicious code, exfiltration endpoints, obfuscated payloads, or exploits. However, the design choices increase supply-chain and credential exposure risk: the package ships a pre-registered client ID and encourages programmatic login using raw username/password (including examples with CLI flags), and it relies on installing and running a third-party CLI (getmyancestors) that will handle user credentials. These are legitimate functional choices for convenience, but they broaden the trust boundary and make credential harvesting more feasible if the package or its distribution is compromised. I classify this as not confirmed malware but as a moderate supply-chain/security risk; users should audit the packages, avoid passing passwords on the command line, and prefer registering their own OAuth client where possible.