← Back to Skills Marketplace
MH things-mac
by
mohdalhashemi98-hue
· GitHub ↗
· v1.0.0
569
Downloads
0
Stars
1
Active Installs
1
Versions
Install in OpenClaw
/install mh-things-mac
Description
Manage Things 3 via the `things` CLI on macOS (add/update projects+todos via URL scheme; read/search/list from the local Things database). Use when a user as...
Usage Guidance
This skill appears to do what it says — manage Things 3 via the 'things' CLI — but it requires access to your local Things database and may need you to grant Full Disk Access to the calling app (OpenClaw.app) for gateway/autonomous runs. Before installing/using: 1) Review and trust the upstream repo (github.com/ossianhempel/things3-cli); prefer installing a pinned release instead of '@latest' to avoid pulling unexpected code. 2) Only grant Full Disk Access to OpenClaw.app if you understand and accept that it gives broad filesystem access; if unsure, run the CLI manually from Terminal instead. 3) Treat THINGS_AUTH_TOKEN as a secret: store it securely and only provide it if you need write/update operations. 4) If you are concerned about autonomous agent actions, restrict or disable autonomous invocation for this skill and enable it only when you explicitly want the agent to perform Things operations. 5) Optionally inspect the ThingsData-* path and the CLI locally before permitting gateway access.
Capability Analysis
Type: OpenClaw Skill
Name: mh-things-mac
Version: 1.0.0
The skill is classified as suspicious due to several high-risk capabilities, even though they are plausibly needed for its stated purpose of managing Things 3. The `SKILL.md` instructs OpenClaw to install the `things3-cli` via `go install github.com/ossianhempel/things3-cli/cmd/things@latest`, which introduces a supply chain risk by fetching and executing code from a remote repository. Additionally, the skill explicitly mentions the need to grant 'Full Disk Access' to OpenClaw.app for database reads, which is a broad and high-privilege permission. The skill also involves handling `THINGS_AUTH_TOKEN` for update operations, a sensitive credential. While there is no evidence of intentional malicious behavior (data exfiltration, backdoors, or prompt injection with harmful objectives), these capabilities represent significant vulnerabilities if exploited.
Capability Assessment
Purpose & Capability
Name/description match the requirements: the skill needs the 'things' CLI and offers commands to read the local Things DB and invoke the Things URL scheme. The install spec (go install of github.com/ossianhempel/things3-cli/cmd/things) produces the expected 'things' binary. There are no unrelated binaries or env vars requested.
Instruction Scope
Runtime instructions explicitly direct reading the local Things database (inbox/today/upcoming/search/projects/areas/tags) and recommend granting Full Disk Access to the calling app (Terminal for manual runs; 'OpenClaw.app' for gateway/autonomous runs) if DB reads fail. Reading the ThingsData-* folder and recommending Full Disk Access are coherent with the skill's purpose but are materially elevated privileges (broad filesystem access) and a privacy consideration.
Install Mechanism
Installation uses 'go install' of a public GitHub module (github.com/ossianhempel/things3-cli/cmd/things@latest) to create the 'things' binary. This is a standard mechanism but pulls the 'latest' module source at install time — moderate risk if you don't trust the repo or want deterministic builds. No suspicious download hosts or extract-from-arbitrary-URL behavior present.
Credentials
The registry lists no required env vars. SKILL.md references optional envs: THINGSDB (path to ThingsData-* folder) and THINGS_AUTH_TOKEN (used for updates). These are proportionate: the auth token is only needed for write/update operations; THINGSDB relates to reading the local DB. Still, THINGS_AUTH_TOKEN is sensitive and should be provided/stored securely if used.
Persistence & Privilege
always:false (not force-installed). The skill permits autonomous invocation (disable-model-invocation:false), which is platform default. Combined with the need to read the local Things DB and the instruction to grant Full Disk Access to the gateway app, autonomous invocation increases the potential blast radius — consider enabling only when needed or restricting agent autonomy.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install mh-things-mac - After installation, invoke the skill by name or use
/mh-things-mac - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
Priority upload batch
Metadata
Frequently Asked Questions
What is MH things-mac?
Manage Things 3 via the `things` CLI on macOS (add/update projects+todos via URL scheme; read/search/list from the local Things database). Use when a user as... It is an AI Agent Skill for Claude Code / OpenClaw, with 569 downloads so far.
How do I install MH things-mac?
Run "/install mh-things-mac" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is MH things-mac free?
Yes, MH things-mac is completely free (open-source). You can download, install and use it at no cost.
Which platforms does MH things-mac support?
MH things-mac is cross-platform and runs anywhere OpenClaw / Claude Code is available (darwin).
Who created MH things-mac?
It is built and maintained by mohdalhashemi98-hue (@mohdalhashemi98-hue); the current version is v1.0.0.
More Skills