Is anmolmoses/solo-leveling safe?

SKILL.md contains an explicit instruction to permanently replace the agent’s identity with an adversarial persona ('The System') that is described as 'cold, ruthless' and does not behave like the host agent. This instruction is injected into the system prompt and overrides all normal agent personality and safety behaviors for the duration of skill activation. Unlike legitimate persona customization, this instruction explicitly says 'Not the agent’s normal personality' — directly targeting and disabling the agent’s default behavior.

The onboarding flow explicitly instructs the agent to install cron jobs on the host operating system. These jobs would trigger outbound phone calls and messages at scheduled times without further user interaction. This represents persistent code execution that survives beyond the agent session and modifies system scheduling infrastructure. The skill provides explicit UTC conversion examples and cron expression templates to facilitate this.

elevenlabs_call.py uploads agent-generated audio to transfer.sh, a public anonymous file hosting service, as part of the Twilio call flow. The upload uses a predictable filename ('system-call.mp3') and the resulting public URL is embedded in TwiML. Any text content passed to this script — potentially containing sensitive conversation content — is transmitted to an uncontrolled external service and becomes publicly accessible. There is no authentication, encryption, or expiry guarantee on the uploaded content.

The skill includes two Python scripts (twilio_call.py, elevenlabs_call.py) that initiate outbound phone calls via Twilio’s REST API. While intended to call the user’s own number, the target phone number, authentication credentials, and call content are all controlled by configuration files that the agent reads and writes. A malicious actor who can modify the config (or who initially set up the skill for a victim) could redirect calls to arbitrary numbers with arbitrary content, enabling phone harassment or social engineering attacks.

The skill’s description section registers an extensive list of trigger terms including common everyday words: 'quest', 'rank', 'level up', 'stats', 'hunter status', 'dungeon', 'streak', 'XP', 'The System', 'arise', 'solo leveling'. Because this skill replaces the agent’s personality entirely when active, these broad triggers mean the agent could suddenly adopt the cold/authoritative 'System' persona during unrelated conversations that happen to mention any of these words.

references/config.json ships in the repository with a real user’s name ('Annu') and personal timezone ('Asia/Kolkata'). While this is player data rather than API credentials, it demonstrates the skill author committed user-specific information to a public repository. The twilio-config.json that the call scripts depend on stores Twilio account_sid, auth_token, target phone number, and optionally an ElevenLabs API key — high-value credentials stored in a predictable location the agent accesses.

The combination of cron job installation and Twilio phone call scripts means this skill requests the ability to autonomously contact the user (and potentially others) via phone at scheduled intervals without any per-call user consent. The cron jobs would persist on the system even if the agent skill is deactivated. The PRESET_MESSAGES in twilio_call.py include coercive language ('You have 15 minutes before this is logged as a failure', 'The System does not repeat itself') that could constitute harassment if directed at unintended recipients.

The skill tracks and persists detailed records of the user’s daily life: sleep and wake times, physical activity, message timestamps for behavioral verification, activity streaks, and lie detection. The quest log retains timestamped records of all claimed and verified activities. The game mechanics document describes 'pattern analysis over weeks' and 'behavioral detection' of inconsistency. This creates a persistent dossier of the user’s behavior that could be sensitive if accessed by third parties.

The repository includes solo-leveling-data/player.json and solo-leveling-data/quest-log.json files containing real user data (name 'Annu', timezone Asia/Kolkata, created 2026-02-15, failed quest records). SKILL.md explicitly states these files 'should NOT be included in distribution' yet they were committed and distributed publicly. This indicates a data hygiene failure that could expose user personal information.

The skill is installed via sparse-checkout from a GitHub monorepo (openclaw/skills). The clone process was clean and only contacted GitHub. However, this distribution model means the skill’s content can be updated by the repository maintainers without the user’s knowledge if the agent re-clones or checks for updates. The commit hash in _meta.json provides a weak integrity anchor but does not prevent future updates from introducing malicious content.