things-mac
Warn
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONCREDENTIALS_UNSAFE
Full Analysis
- [EXTERNAL_DOWNLOADS] (MEDIUM): The skill installs a binary from an untrusted GitHub user account ('ossianhempel') via 'go install' and a Homebrew tap. According to the [TRUST-SCOPE-RULE], this source is not verified, and executing unverified binaries is a significant security risk.
- [COMMAND_EXECUTION] (LOW): The skill relies on executing the 'things' CLI tool to interact with the local filesystem and application. While functional, this grants the agent the ability to run arbitrary arguments through this binary.
- [CREDENTIALS_UNSAFE] (LOW): The skill instructs the user to store a sensitive 'THINGS_AUTH_TOKEN' in their shell profile ('~/.zshrc'). This token grants write access to the user's task management system.
- [INDIRECT_PROMPT_INJECTION] (LOW): The skill ingests untrusted data (task titles, notes, queries) and passes them as arguments to the 'things' command.
- Ingestion points: Task notes and titles provided via prompt interpolation in 'things add' and 'things update' (File: SKILL.md).
- Boundary markers: Absent; no delimiters are used to separate user data from command flags.
- Capability inventory: File system read (DB), URL scheme execution (Write), and AppleScript execution (Delete) via the 'things' binary.
- Sanitization: Absent; input is passed directly to CLI arguments.
Audit Metadata