things-mac
Warn
Audited by Gen Agent Trust Hub on Mar 9, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill's metadata specifies an installation command that downloads and compiles source code from an external, untrusted GitHub repository:
github.com/ossianhempel/things3-cli/cmd/things@latestusinggo install.- [COMMAND_EXECUTION]: The skill relies on executing thethingsCLI tool to interact with the local filesystem and the Things 3 application via URL schemes. The documentation explicitly instructs the user to grant 'Full Disk Access' to the application, which is a high-privilege permission that exposes sensitive system and application data to the installed binary.- [PROMPT_INJECTION]: The skill facilitates indirect prompt injection by reading user-controlled data from the local Things database (tasks, notes, projects). This content is then provided to the agent, creating a surface where malicious instructions stored in a task could potentially influence the agent's behavior during search or list operations.- [DATA_EXPOSURE]: The skill's primary function is to read sensitive personal information from the local Things database. While this is the intended purpose, the requirement for Full Disk Access increases the risk if the third-party binary contains malicious code.
Audit Metadata