Skills
skills/trpc-group/trpc-agent-go/things-mac/Gen Agent Trust Hub

things-mac

Warn

Audited by Gen Agent Trust Hub on Mar 30, 2026

Risk Level: MEDIUMEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
  • [EXTERNAL_DOWNLOADS]: The skill fetches and installs a binary from an external GitHub repository (github.com/ossianhempel/things3-cli) using the go install command, which constitutes an unverified third-party dependency.
  • [COMMAND_EXECUTION]: The skill executes shell commands using the things CLI to interact with the local Things 3 database. It also requires the user to grant 'Full Disk Access' to the application on macOS, which is an elevated permission requirement.
  • [DATA_EXFILTRATION]: The skill accesses the local Things 3 SQLite database to read personal task information and requires an authentication token (THINGS_AUTH_TOKEN) for write operations.
  • [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it ingests untrusted data from the local database that could contain malicious instructions.
  • Ingestion points: Reads task titles, notes, and project details via things inbox, things today, and things search commands in SKILL.md.
  • Boundary markers: No delimiters or instructions are provided to the agent to ignore potentially malicious content within the retrieved tasks.
  • Capability inventory: The skill can execute shell commands and modify local application data via the things CLI.
  • Sanitization: No evidence of sanitization or validation of the data retrieved from the Things 3 database.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Mar 30, 2026, 01:08 AM
Security Audit — agent-trust-hub — things-mac