things-mac
Warn
Audited by Gen Agent Trust Hub on Apr 18, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTIONCREDENTIALS_UNSAFE
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill automatically installs the
thingsCLI from a third-party GitHub repository (github.com/ossianhempel/things3-cli) using thego installcommand, introducing unverified external code into the execution environment. - [COMMAND_EXECUTION]: It relies on shell command execution via the
thingsbinary to manage tasks. It also instructs users to grant 'Full Disk Access' to the application, which is a significant privilege escalation on macOS required to read the local SQLite database. - [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it reads user-controlled data (task titles, notes, and project names) from the local database. This content could contain malicious instructions that the agent might follow in subsequent steps.
- Ingestion points: Data enters the context via
things inbox,things today, andthings searchcommands inSKILL.md. - Boundary markers: No delimiters or instructions to ignore embedded commands are present when data is fetched.
- Capability inventory: The agent has the ability to execute system commands via the
thingsCLI. - Sanitization: There is no evidence of validation or sanitization of the fetched database content before it is processed by the agent.
- [CREDENTIALS_UNSAFE]: The skill uses a
THINGS_AUTH_TOKENfor write operations. The instructions suggest that this token can be passed as a command-line argument (--auth-token), which can lead to credential exposure in system process logs or history.
Audit Metadata