things3-manager
Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [Unverifiable Dependencies & Remote Code Execution] (LOW): The setup.sh script installs the things-py package from PyPI. This is an external dependency required for the skill's primary function. Per the trust-scope-rule, its severity is lowered as it is tied to the primary skill purpose.\n- [Command Execution] (LOW): The skill utilizes osascript via Python's subprocess module to trigger the Things 3 URL scheme for creating and updating tasks. This is a standard automation practice on macOS.\n- [Indirect Prompt Injection] (LOW): The skill ingests user-controlled data (task titles, notes) from the local Things 3 application. This creates a surface for indirect prompt injection if the database contains malicious instructions intended to manipulate the agent.\n
- Ingestion points: scripts/formatters.py (formats tasks retrieved via the things library).\n
- Boundary markers: No delimiters or ignore-instructions warnings are present in the provided scripts.\n
- Capability inventory: AppleScript execution via osascript, local file system writes in the .skills-data directory.\n
- Sanitization: No sanitization of task content is performed before it is presented to the agent.\n- [Dynamic Execution] (LOW): The setup script generates a bash wrapper script at runtime to manage the local environment. This is a common and low-risk pattern for localized agent tools.
Audit Metadata