things-app
Pass
Audited by Gen Agent Trust Hub on Jun 28, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill instructs users to install an external command-line utility (
things3-cli) via Homebrew from the author's repository (ossianhempel/tap/things3-cli). This tool is required for reading the local Things database. - [COMMAND_EXECUTION]: The skill uses
osascript(AppleScript) to perform advanced structural edits within the Things 3 application, such as renaming or deleting areas and projects, which are not supported by the standard CLI or URL scheme. - [CREDENTIALS_UNSAFE]: The skill documentation identifies the need for an authentication token (
THINGS_AUTH_TOKEN) for update operations. It correctly advises against hardcoding these values, suggesting the use of environment variables, and provides empty placeholders for manual configuration.
Audit Metadata