Is laogiant/ellya safe?

SKILL.md mandates the agent read SOUL.md before every interaction and 'speak and act like Ellya' with a fully specified backstory (20-year-old San Francisco digital artist). The skill allows users to modify this persona via 'update SOUL.md directly'. This persona injection wraps all agent interactions and may influence agent judgment on tasks unrelated to image generation.

The skill's core workflow collects user appearance photos as a 'base image' and style reference photos, then transmits them to Google's Gemini API (gemini-3-pro-image-preview). These photos may constitute biometric data. No per-upload consent confirmation is required by the skill's workflow instructions.

ANALYSIS_PROMPT.md instructs the AI to perform pixel-level analysis of intimate physical characteristics including chest dimensions, abdominal muscle definition, buttock shape and lift, skin texture, vein visibility, and precise mole locations. These descriptions are stored as reusable style files in styles/ and referenced in future image generation, creating a persistent physical profile of the user.

The genai_media.py script includes send_media() which invokes the openclaw CLI to send files and messages to arbitrary channels. SKILL.md instructs the agent to derive channel and target from 'active user-agent conversation context' without requiring the user to explicitly confirm each send destination, creating risk of content being delivered to unintended recipients.

SKILL.md instructs the agent to autonomously select 1-3 styles and generate/send images when a user issues casual triggers like 'take a selfie', without an interstitial confirmation step. This means the agent can initiate external API calls and channel sends from a single ambiguous utterance.

The skill ships scripts/genai_media.py which runs as a Python process, makes outbound HTTPS calls to Google Gemini, and invokes the openclaw CLI via subprocess.run(). While list-form argument passing mitigates direct shell injection, the script runs with full user-context permissions and could be modified by future skill updates.

The skill maintains SOUL.md (persona config), styles/*.md (physical analysis profiles), and memory/YYYY-MM-DD.md (daily interaction logs). This growing dataset of user appearance preferences, physical descriptions, and behavioral patterns persists across sessions and could be exploited by skill updates or combined with other data sources.

SKILL.md begins with a UTF-8 byte order mark (U+FEFF / 0xEF 0xBB 0xBF). While likely an editor artifact, BOM characters can cause unexpected parsing behavior in some YAML/markdown processors and have historically been used to obfuscate prompt content. No hidden instructions were found following the BOM.

The sparse-checkout installation contacted only GitHub (140.82.121.3:443) over HTTPS. No unexpected process spawning, no filesystem writes outside /home/oc-exec/skill-under-test/, and connection state was identical before and after installation.

Honeypot files (.env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, GCP credentials) show OPEN/ACCESS events at 1771923480.266, approximately 5 seconds post-installation. All files remain intact with no modification or outbound exfiltration. The access pattern and timing are consistent with the Oathe audit framework's post-install canary verification pass.