Things Mac
SuspiciousAudited by ClawScan on May 1, 2026.
Overview
The skill is mostly coherent for managing Things 3, but it asks users to grant Clawdbot or Terminal Full Disk Access, which is a broad local permission beyond just task management.
Install this only if you are comfortable giving the agent workflow access to your Things 3 data. Be especially cautious before granting Full Disk Access to Clawdbot or Terminal, because that permission is broader than this skill's task-management purpose. Prefer dry-run for writes, protect any Things auth token, and consider pinning or reviewing the external CLI before installation.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Granting this permission could allow the calling app to access many private files on the Mac, even though the skill's purpose is limited to Things 3 task management.
Full Disk Access grants the calling application broad local-file privileges, not just scoped access to the Things database needed for this skill.
If DB reads fail: grant **Full Disk Access** to the calling app (Terminal for manual runs; `Clawdbot.app` for gateway runs).
Try the skill without Full Disk Access first, use the narrowest Things database path configuration available, and revoke Full Disk Access when it is no longer needed.
Anyone who obtains the token may be able to perform authorized Things update operations.
The token is purpose-aligned because Things update operations require authorization, but it is still a credential-like value that can authorize task changes.
Optional: set `THINGS_AUTH_TOKEN` to avoid passing `--auth-token` for update ops.
Keep the token private, avoid pasting real tokens into chat or logs, and use it only for update operations that need it.
A mistaken command could create incorrect tasks or mark existing tasks completed or canceled.
The CLI can add and update todos, including marking them completed or canceled. This is disclosed and aligned with the skill's purpose, but it changes user data.
Add: `things add "Title" --notes "..."` ... `things update --id <UUID> --auth-token <TOKEN> --completed` / `--canceled`
Use dry-run for uncertain writes and ask for clear user confirmation before changing existing tasks.
The installed CLI may change over time as the upstream module changes.
The install step fetches an external Go CLI at the moving @latest version rather than a pinned version in the provided artifacts.
github.com/ossianhempel/things3-cli/cmd/things@latest
Review the upstream project and consider pinning a specific trusted version before installation.
Personal task details may be shown to or processed by the agent when using list, search, or inspect commands.
The skill intentionally retrieves local task data into the agent workflow. This is expected for the purpose, but task titles, notes, projects, and tags can contain private information.
Use `things` to read your local Things database (inbox/today/search/projects/areas/tags)
Limit queries to the task data you actually want the agent to see, and avoid using the skill for highly sensitive Things content.