The Agent Skills Directory

Command Execution (HIGH): The script scripts/file_watcher.py allows for the execution of arbitrary shell commands via the --exec (or -e) command-line argument. These commands are executed using subprocess.run(shell=True), which grants the agent high-privilege access to the host system. Any command provided by the agent or a user is executed with shell interpretation enabled.
Indirect Prompt Injection (MEDIUM): The skill monitors external file system states (Category 8c). An attacker who can create or modify files in a directory watched by this tool can trigger the execution of the configured shell command at will.
Ingestion points: File system metadata (filenames and modification times) via os.walk and os.stat in scripts/file_watcher.py.
Boundary markers: None. The tool prints file events directly to stdout without sanitization.
Capability inventory: subprocess.run(shell=True) (arbitrary command execution), os.walk and os.stat (file system enumeration and read).
Sanitization: None. Filenames are printed directly, and the exec_cmd is executed without any validation or escaping.
Metadata Poisoning (MEDIUM): Both SKILL.md and scripts/file_watcher.py claim the tool is based on the watchdog library (https://github.com/gorakhargosh/watchdog). However, the actual implementation is a rudimentary manual polling loop. This misleading metadata can cause users to overestimate the tool's performance and security properties.

file-watcher