elsewhere-companion

Before installing, consider the following: - Metadata mismatch: The skill needs GEMINI_API_KEY but the registry metadata does not list any required env vars. Ensure you know where to store the API key — the code loads a top-level .env (PROJECT_ROOT/.env) but SKILL.md tells you to create data/.env; this mismatch can cause misconfiguration. - Missing files: SKILL.md mentions requirements.txt and references/state_machine.md but these files aren't in the package. You will need to create a requirements.txt (google-genai, jinja2, Pillow, python-dotenv) or otherwise install those packages yourself. - Privacy risk: The skill will upload any reference photo you provide and persona/itinerary data to the Gemini API and use Google Search grounding. If the reference image contains sensitive information or faces you don't want sent to a cloud API, do not upload it. - Environment leakage: run_cron.py launches subprocesses that inherit the current environment. Avoid running this skill in an environment that already contains unrelated secrets (AWS keys, tokens). Prefer running in an isolated environment or container with only the GEMINI_API_KEY set. - Verification: Because the source and homepage are unknown, consider inspecting the code locally and running it in a sandbox before giving it network access or your real Gemini API key. If you proceed, place only the Gemini key (and no other secrets) in the .env the code actually reads, and confirm which .env path is used. Given these inconsistencies and privacy-sensitive behavior, treat the skill cautiously. The issues look like sloppy packaging and documentation rather than overtly malicious code, but the lack of clear metadata and the fact that user images and environment variables are transmitted to external services justify caution.