things-mac
Pass
Audited by Gen Agent Trust Hub on Feb 18, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS] (MEDIUM): The skill installs the
things3-clitool directly from a non-whitelisted GitHub repository (github.com/ossianhempel/things3-cli) usinggo install. While necessary for the skill's functionality, this introduces a dependency on unverified third-party code. - [COMMAND_EXECUTION] (LOW): The skill executes the
thingsbinary to read from and write to the Things 3 application. This is the primary function of the skill and matches the user's intent. - [DATA_EXPOSURE] (LOW): To function, the skill requires "Full Disk Access" on macOS to read the local SQLite database used by Things 3. Users should be aware that this grants the agent visibility into all their private tasks, projects, and notes.
- [PROMPT_INJECTION] (LOW): This skill is susceptible to Indirect Prompt Injection (Category 8). It reads data (task titles, notes) from the local database that may contain attacker-controlled content if the user has added tasks from untrusted web sources.
- Ingestion points:
things inbox,things today,things search,things upcoming. - Boundary markers: No specific delimiters are used to separate task content from agent instructions.
- Capability inventory: The skill can perform write operations via
things addandthings update. - Sanitization: No sanitization of the database content is performed before it is presented to the agent.
Audit Metadata