things-mac
Warn
Audited by Gen Agent Trust Hub on Mar 11, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONDATA_EXFILTRATIONCREDENTIALS_UNSAFEPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill installs the
things3-clibinary from an external GitHub repository (github.com/ossianhempel/things3-cli) using thego installcommand.\n- [COMMAND_EXECUTION]: The skill executes thethingsCLI tool to read the database and perform write operations via macOS URL schemes.\n- [COMMAND_EXECUTION]: The skill requires the user to grant "Full Disk Access" to the calling application, which is a high-privilege permission that allows access to sensitive system and user files.\n- [DATA_EXFILTRATION]: The skill reads data from the local Things 3 database, which contains personal task information, and exposes it to the agent's context.\n- [CREDENTIALS_UNSAFE]: The documentation encourages the use ofTHINGS_AUTH_TOKENin the environment or via command-line flags. Passing tokens via CLI flags can expose them in process listings (e.g., viaps).\n- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it ingests task content from the local database that could contain malicious instructions.\n - Ingestion points:
things search,things inbox,things today,things upcoming.\n - Boundary markers: No boundary markers or instructions to ignore embedded content are specified.\n
- Capability inventory: Shell command execution via the
thingsCLI.\n - Sanitization: No input sanitization or validation is performed on the data retrieved from the database.
Audit Metadata