I noticed that watchmedo uses the yaml.load method, PyYAML can execute arbitrary commands via the shebang syntax and is recommended by many projects to be swapped for yaml.safe_load e.g. OpenStack. https://security.openstack.org/guidelines/dg_avoid-dangerous-input-parsing-libraries.html

https://github.com/gorakhargosh/watchdog/blob/master/src/watchdog/watchmedo.py#L88

Happy to raise a PR against this change if necessary.