things-mac
Warn
Audited by Gen Agent Trust Hub on Jun 22, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONDATA_EXFILTRATIONCREDENTIALS_UNSAFE
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill instructs the installation of a CLI tool from a personal GitHub repository (
github.com/ossianhempel/things3-cli) usinggo install. The tool is unversioned (@latest), posing a supply chain risk. - [COMMAND_EXECUTION]: The skill uses shell commands to interact with the
thingsCLI. User-provided data (e.g., task notes and search queries) is interpolated directly into command arguments (e.g.,things add "Title" --notes "..."). There is no evidence of sanitization or the use of boundary markers, which could allow for command injection or argument injection attacks. Ingestion points: Task metadata and queries inSKILL.md. Boundary markers: None present. Capability inventory: Shell execution of thethingsbinary. Sanitization: None detected. - [DATA_EXFILTRATION]: The skill accesses and reads the local Things 3 SQLite database (
ThingsData-*). This provides the agent with access to potentially sensitive personal data including tasks, projects, and areas. To function, it recommends granting "Full Disk Access" to the application, which significantly broadens the system's attack surface by bypassing privacy controls. - [CREDENTIALS_UNSAFE]: The skill documentation suggests using a
THINGS_AUTH_TOKENand provides examples where it is passed as a command-line argument (--auth-token <TOKEN>). This practice can expose sensitive credentials in the system's process list or shell history.
Audit Metadata