things-mac
Warn
Audited by Gen Agent Trust Hub on Feb 23, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill downloads source code from a third-party, non-trusted GitHub repository (
github.com/ossianhempel/things3-cli) during the installation phase. - [REMOTE_CODE_EXECUTION]: The installation process uses
go install github.com/ossianhempel/things3-cli/cmd/things@latest, which fetches, compiles, and installs code from a remote source not included in the trusted vendors list. - [COMMAND_EXECUTION]: The skill relies on executing the
thingsbinary to perform its primary functions, including reading local database files and sending data via macOS URL schemes. - [PROMPT_INJECTION]: The skill is susceptible to Indirect Prompt Injection.
- Ingestion points: Data is read from the local Things 3 database via commands like
things inbox,things today, andthings search(SKILL.md). - Boundary markers: None identified; database content (titles, notes) is likely interpolated directly into the agent's context.
- Capability inventory: The skill can execute CLI commands and potentially send network requests via the URL scheme handler.
- Sanitization: There is no evidence of sanitization or escaping of the task titles or notes retrieved from the database.
Audit Metadata