things-mac
Warn
Audited by Gen Agent Trust Hub on Apr 24, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill installs an external binary from a third-party GitHub repository (github.com/ossianhempel/things3-cli) using the go install command during the setup process.
- [COMMAND_EXECUTION]: The skill executes shell commands with arguments derived from user input and instructs the user to grant 'Full Disk Access' to the application on macOS. This is a high-privilege permission that allows access to sensitive system-wide data including mail, messages, and backups.
- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection. Ingestion points: The skill reads tasks and notes from the local Things database (SKILL.md). Boundary markers: No delimiters are used to wrap or identify data from the database. Capability inventory: The skill can execute shell commands via the things binary (SKILL.md). Sanitization: No validation or sanitization of database content is performed before processing.
Audit Metadata