Things Mac 1.0.0
PassAudited by ClawScan on May 10, 2026.
Overview
This skill appears to do what it says—manage Things 3 on macOS—but it involves local task-database access, optional update credentials, and an unpinned third-party CLI install.
This looks like a coherent Things 3 integration. Before installing, make sure you trust the upstream things3-cli package, understand that local task data may be read into the agent conversation, and only grant Full Disk Access or provide THINGS_AUTH_TOKEN when you need those capabilities.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing the skill means trusting the current upstream version of the Things CLI package, which could change over time.
The skill relies on installing a third-party Go CLI at the moving @latest version. This is central to the stated purpose, but the reviewed artifacts do not include that CLI's source code or pin a specific version.
go | module: github.com/ossianhempel/things3-cli/cmd/things@latest | creates binaries: things
Install only from a trusted upstream source, and consider pinning or reviewing a known version of the CLI if you need stronger supply-chain assurance.
The agent may view and include personal Things data in its responses when you ask it to list or search tasks.
The skill can retrieve local Things task data, which may include private task titles, notes, projects, areas, and tags. This is disclosed and purpose-aligned, but it is sensitive local context.
Use `things` to read your local Things database (inbox/today/search/projects/areas/tags)
Use targeted queries, avoid asking the agent to expose more task data than needed, and be careful with sensitive notes stored in Things.
Granting Full Disk Access to the calling app can expose more local files to that app, and the auth token can allow task updates such as moving, completing, or canceling todos.
The skill may require a broad macOS privacy permission for database reads and an optional Things auth token for update operations. Both are disclosed and tied to the Things workflow, but they are sensitive privileges.
If DB reads fail: grant **Full Disk Access** to the calling app ... Optional: set `THINGS_AUTH_TOKEN` ... modify a todo (needs auth token)
Grant Full Disk Access only if needed, revoke it when no longer needed, and provide the Things auth token only for update tasks you intend to perform.
If invoked, the agent can create or change tasks in Things, including marking items completed or canceled.
The documented CLI operations can mutate Things data. This matches the skill's purpose and includes dry-run examples, but it is still a tool with write authority.
Write (URL scheme) ... Add: `things add "Title" ...` ... Complete/cancel ... `things update --id <UUID> --auth-token <TOKEN> --completed` / `--canceled`
Ask for dry-run previews or confirmations before important updates, especially for bulk or ambiguous task changes.