dual-channel-watchexec

This skill is primarily documentation and example scripts for sending notifications to legitimate external services (Telegram and Pushover) in response to watchexec events. The functionality itself is coherent with the stated purpose. The main security concerns are operational: (1) potential exfiltration of sensitive crash/context data to third-party services if message contents or archived logs include secrets, (2) direct interpolation of environment variables and message content into shell/curl commands without comprehensive sanitization or safe quoting, and (3) asynchronous/background execution that may send data without immediate oversight. There are no signs of obfuscated code, embedded malware, or downloader/install chains. Recommended mitigations: sanitize and whitelist content included in notifications, redact sensitive fields before sending or archiving, use safe shell quoting and curl form APIs, minimize permissions for notification tokens, and document least-privilege and approval workflows for automated notifications.