The Agent Skills Directory

[COMMAND_EXECUTION]: The script scripts/gossamer.py utilizes subprocess.run to execute a Python script (check_update.py) found in a sibling skill's directory. The target script path is resolved at runtime by searching through the project's skill installation directories, which constitutes dynamic code execution from computed paths.
[EXTERNAL_DOWNLOADS]: The skill's update logic (found in SKILL.md and scripts/gossamer.py) facilitates the installation of the qwencloud-update-check utility via the npx skills add command. This mechanism downloads and executes code from the QwenCloud/qwencloud-ai repository.
[DATA_EXFILTRATION]: The library scripts/qwencloud_lib.py includes a resolve_file function that can read local files and either convert them to base64 strings or upload them to the dashscope-intl.aliyuncs.com endpoint. While intended for multimodal processing, this creates a potential vector for local data to be sent to external infrastructure if sensitive file paths are passed to the tool.

qwencloud-text