Blogwatcher

Name/description (monitor blogs/RSS via blogwatcher) align with the SKILL.md and metadata which call out the blogwatcher CLI and provide example commands. The declared need for a blogwatcher binary (and the provided Go install instruction) is appropriate for this purpose.

SKILL.md only instructs installing and running the blogwatcher CLI (add, scan, list, read, remove). It does not instruct reading unrelated files, accessing unrelated credentials, or exfiltrating data to unexpected endpoints. Running 'scan' will fetch feeds from networked blog URLs, which is expected behavior.

No install spec in the package itself, but metadata suggests installation via 'go install github.com/Hyaxia/blogwatcher/cmd/blogwatcher@latest'. This is a standard Go workflow (fetch source from GitHub and build); it is traceable but executes third-party code on the host when you install/run the binary, so review the upstream repo if you don't trust it.

The skill requests no environment variables, no credentials, and no config paths. That is proportionate for a local CLI tool that only needs to access feed URLs the user configures.

always:false (not force-included) and disable-model-invocation:false (agent may invoke it autonomously) — this is the platform default. The skill does not request elevated or permanent system privileges. Consider that allowing the agent to autonomously run local binaries gives it the ability to execute any installed CLI the agent can access.