things-mac
Warn
Audited by Gen Agent Trust Hub on Jun 23, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTIONCREDENTIALS_UNSAFE
Full Analysis
- [REMOTE_CODE_EXECUTION]: The skill promotes the installation of a binary from a third-party GitHub repository (
github.com/ossianhempel/things3-cli) using thego installcommand. This pattern involves downloading and executing code from an external, non-authoritative source at runtime. - [EXTERNAL_DOWNLOADS]: The skill's setup instructions and metadata configuration involve fetching remote software and dependencies from GitHub during the installation process.
- [COMMAND_EXECUTION]: The skill requires the user to grant 'Full Disk Access' to the application on macOS. This is a high-privilege permission that bypasses standard sandboxing and allows the tool to read sensitive data across the entire disk, which is utilized here to access the Things 3 SQLite database.
- [DATA_EXFILTRATION]: The skill reads personal data from the local Things 3 database, including task titles, notes, checklists, and project structures. While no explicit network exfiltration was detected in the skill instructions, the access to this sensitive data is a prerequisite for exfiltration.
- [PROMPT_INJECTION]: The skill creates an indirect prompt injection surface by ingesting untrusted content from the user's task database into the agent's context. Malicious instructions hidden within task notes or titles could influence agent behavior during search or listing operations.
- Ingestion points:
things inbox,things today,things search, and other database read commands. - Boundary markers: None present; the skill does not use delimiters to wrap the data retrieved from the database.
- Capability inventory: The skill has the ability to execute shell commands and modify local data via
things addandthings update. - Sanitization: No sanitization or validation of the retrieved database content is performed before passing it to the agent.
- [CREDENTIALS_UNSAFE]: The skill utilizes an authentication token (
THINGS_AUTH_TOKEN) for data modification operations. While it suggests using environment variables, the command-line examples also demonstrate passing the token as a visible flag (--auth-token), which could expose it in process lists or shell history.
Audit Metadata