things-mac
Warn
Audited by Gen Agent Trust Hub on Mar 12, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill downloads and installs a binary from an unverified GitHub repository (github.com/ossianhempel/things3-cli) using the Go compiler.
- [COMMAND_EXECUTION]: The skill instructs the user to grant 'Full Disk Access' on macOS. This is a high-privilege permission that allows the application to bypass standard file system protections and access sensitive data across the entire drive.
- [DATA_EXFILTRATION]: The skill reads sensitive personal information from the local Things 3 SQLite database, including tasks, notes, and project structures.
- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection through its ingestion of database content.
- Ingestion points: Local database records retrieved via commands like 'things inbox' and 'things search' in SKILL.md.
- Boundary markers: Absent; there are no delimiters or instructions to ignore embedded commands in the retrieved task data.
- Capability inventory: The skill can execute CLI commands and modify database content via 'things add' and 'things update'.
- Sanitization: No sanitization or validation of the data retrieved from the database is performed before it is processed by the agent.
Audit Metadata