things-mac
Warn
Audited by Gen Agent Trust Hub on Mar 6, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill installs an external binary from an untrusted personal GitHub repository (github.com/ossianhempel/things3-cli) using the
go installcommand. - [COMMAND_EXECUTION]: The skill executes multiple commands via the
thingsCLI and requires the user to grant "Full Disk Access" to the application. This permission allows the tool to read sensitive files across the system to access the local Things database. - [DATA_EXFILTRATION]: The skill accesses the local Things 3 database (ThingsData), which contains private user tasks, notes, and metadata. While no direct network exfiltration is identified, it enables the agent to process highly sensitive local information.
- [PROMPT_INJECTION]: The skill has an indirect prompt injection surface because it processes untrusted data from the local database.
- Ingestion points: Data is read from the user's local database via
things inbox,things today, andthings searchcommands. - Boundary markers: There are no boundary markers or instructions to the agent to ignore embedded commands within the retrieved data.
- Capability inventory: The skill possesses write capabilities including
things addandthings update, allowing for modification of the task database. - Sanitization: No sanitization or validation of the task data is performed before it is returned to the agent's context.
Audit Metadata