things-mac

This skill is consistent with its stated purpose: it reads the local Things database and performs task creation/updates via the Things URL scheme. The primary risks are supply-chain (unpinned `go install ...@latest`), the need to grant Full Disk Access to the calling app (broad filesystem permission), and standard credential handling for THINGS_AUTH_TOKEN (environment/CLI). There is no evidence in the provided content of network exfiltration, remote command execution, obfuscation, or malicious endpoints. Overall the package appears functionally appropriate but users should be cautious about granting Full Disk Access and should prefer installing a pinned release (or reviewing source) rather than using @latest to reduce supply-chain risk.