ClawHub

Things plus

v1.2.1

Personal task manager powered by Things 3. Trigger when the user asks to add, capture, review, organize, reprioritize, search, or manage tasks in Things. Als...

0· 126·0 current·0 all-time
by@sars666
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (Things 3 task manager) matches the declared requirement of the 'things' CLI and a THINGS_AUTH_TOKEN primary credential. No unrelated services or credentials are requested.
Instruction Scope
SKILL.md instructs using the 'things' CLI and macOS tooling (mdfind, shell inspection) to read/write tasks, verify auth, and verify writes by read-back. It does suggest reading execution context (echo $SHELL) and advising edits to shell environment files for setting THINGS_AUTH_TOKEN, which is reasonable for this integration and explicitly avoids asking the user to paste tokens into chat.
Install Mechanism
The skill is instruction-only (no install spec). The setup recommends installing via a third‑party Homebrew tap (ossianhempel/tap/things3-cli). That is expected for a CLI wrapper but is a modest risk if you don't trust that tap; the skill itself does not automatically download or execute remote code.
Credentials
Only the THINGS_AUTH_TOKEN credential is declared as primary. The SKILL.md references only that token and the local shell context; it does not request unrelated secrets or other service credentials.
Persistence & Privilege
always is false and the skill is user-invocable; it does not request permanent/system-wide changes. It may perform destructive actions (deletes) via the Things CLI, but SKILL.md documents conservative safeguards (UUID usage, read-back verification, retries) and asks for clarification on ambiguous deletions.
Assessment
This skill appears to do what it says: it uses the Things 3 CLI and an auth token to manage tasks. Before installing/using it: 1) Confirm you trust the Homebrew tap (ossianhempel) referenced in the setup steps—installing from third‑party taps carries more risk than official repos. 2) Do not paste your THINGS_AUTH_TOKEN into chat; follow the skill's guidance to set it in your environment (it explicitly tells the agent to run things auth to check). 3) Be aware the agent will run local commands that can add/update/delete items in your Things database; the skill documents safeguards (use UUIDs, read-back verification, retries) but you should run initial actions on disposable/test items to confirm behavior. 4) Only grant Full Disk Access to the calling app if absolutely necessary and you understand the implications. If you want extra caution, test the skill in a restricted account or with a test Things database before enabling it for real personal data.

Like a lobster shell, security has layers — review code before you run it.

latestvk974qzna91ejnt82rwe8ndfnjh83kj88

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

Binsthings
Primary envTHINGS_AUTH_TOKEN

Comments