things-mac
Fail
Audited by Gen Agent Trust Hub on Feb 15, 2026
Risk Level: HIGHEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [Data Exposure & Exfiltration] (HIGH): The skill accesses the Things 3 SQLite database (referenced via THINGSDB or default local paths), which contains sensitive personal information including private tasks, notes, and project structures.\n- [Indirect Prompt Injection] (HIGH):\n
- Ingestion points: Data enters the agent context through 'things search', 'things inbox', and 'things today' commands which read task content from the local database.\n
- Boundary markers: None are specified in the prompt instructions to delimit untrusted task data.\n
- Capability inventory: The skill possesses 'things add' and 'things update' capabilities which can modify the task database based on agent decisions.\n
- Sanitization: No sanitization of task content is performed before processing.\n- [Unverifiable Dependencies] (MEDIUM): The skill requires installation of 'github.com/ossianhempel/things3-cli' via 'go install'. This repository is not within the trusted source list, posing a risk of malicious code execution during or after installation.\n- [Privilege Escalation] (HIGH): The documentation explicitly instructs users to grant 'Full Disk Access' to the calling application (e.g., the agent host). This bypasses macOS security sandboxing to allow the CLI to read the protected database file.\n- [Command Execution] (LOW): The skill relies on executing the 'things' CLI command to perform its primary functions.
Recommendations
- AI detected serious security threats
Audit Metadata