things-mac

Warn

Audited by Gen Agent Trust Hub on Jun 22, 2026

Risk Level: MEDIUMEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONDATA_EXFILTRATIONCREDENTIALS_UNSAFE
Full Analysis
  • [EXTERNAL_DOWNLOADS]: The skill instructs the installation of a CLI tool from a personal GitHub repository (github.com/ossianhempel/things3-cli) using go install. The tool is unversioned (@latest), posing a supply chain risk.
  • [COMMAND_EXECUTION]: The skill uses shell commands to interact with the things CLI. User-provided data (e.g., task notes and search queries) is interpolated directly into command arguments (e.g., things add "Title" --notes "..."). There is no evidence of sanitization or the use of boundary markers, which could allow for command injection or argument injection attacks. Ingestion points: Task metadata and queries in SKILL.md. Boundary markers: None present. Capability inventory: Shell execution of the things binary. Sanitization: None detected.
  • [DATA_EXFILTRATION]: The skill accesses and reads the local Things 3 SQLite database (ThingsData-*). This provides the agent with access to potentially sensitive personal data including tasks, projects, and areas. To function, it recommends granting "Full Disk Access" to the application, which significantly broadens the system's attack surface by bypassing privacy controls.
  • [CREDENTIALS_UNSAFE]: The skill documentation suggests using a THINGS_AUTH_TOKEN and provides examples where it is passed as a command-line argument (--auth-token <TOKEN>). This practice can expose sensitive credentials in the system's process list or shell history.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Jun 22, 2026, 05:36 PM
Security Audit — agent-trust-hub — things-mac